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EXECUTIVE  SUMMARY 


The  terrorist  attacks  of  September  11,  2001,  Hurricane  Katrina  in  2005,  “Super  Storm” 
Sandy  in  2012,  and  the  recent  widespread  flooding  in  Colorado  and  associated  damages 
to  critical  infrastructure,  only  reinforce  the  need  for  collaboration  between  federal,  state, 
and  local  government  for  pre-event  planning,  preparation,  response,  and  recovery. 

Research  conducted  sought  to  examine  the  relationship  between  the  National 
Infrastructure  Protection  Program  and  state  and  local  critical  infrastructure  planning. 
Specifically,  to  what  extent  does  the  federal  criteria  for  identifying  federal  critical 
infrastructure  and  key  resources  apply  to  state  and  local  identification  of  critical 
infrastructure  and  key  resources  (CIKR).  As  the  first  line  of  defense  and  response  to 
incidents  within  their  jurisdictions,  local  officials  must  work  to  identify  what  critical 
infrastructure  exists  within  and  more  importantly,  if  lost,  what  will  have  an  impact  on  the 
community’s  ability  to  provide  services. 

Research  included  a  comprehensive  analysis  of  the  National  Infrastructure 
Protection  Plan  (NIPP)  and  all  open  source  critical  infrastructure  sector-specific  plans.  A 
case  study  of  the  state  of  New  Hampshire  Critical  Infrastructure  Program  was  also 
included  as  an  example  of  a  “model  program”  for  state  governments. 

The  analysis  of  the  NIPP  and  subsequent  sector-specific  plans  indicates  that  there 
is  no  clear  connection  between  the  NIPP  and  local  government  CIKR  protection  and 
resiliency  planning.  Research  also  concluded  that,  while  some  states  have  worked  to 
develop  CIKR  plans,  and  do  participate  in  the  Annual  Federal  Data  Call  or  the  National 
Critical  Infrastructure  Prioritization  Program,  it  is  unclear  on  the  extent  of  participation  or 
the  number  of  assets  reported.  Conversely,  all  50  states  and  approximately  70  percent  of 
the  communities  in  the  U.S.  have  approved  hazard  mitigation  plans  under  the  Federal 
Emergency  Management  Agency’s  Pre-Disaster  Mitigation  Program  since  its  inception.* 
Between  2007  and  2012,  FEMA  awarded  $1.7  billion  in  Hazard  Mitigation  Planning 


*  Office  of  the  Inspector  General,  U.S.  Department  of  Homeland  Security,  Survey  of  Hazard  Mitigation 
Planning,  2012,  http://www.oig.dhs.gov/assets/Mgmt/2Q12/OIG  12-109  Augl2.pdf.  1. 
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Grants.^  During  a  similar  period  FEMA  spent  over  $17.3  billion  on  disaster  relief.^  This 
data  suggests  that  the  U.S.  is  not  committing  sufficient  resources  towards  prevention  and 
mitigation  of  the  impacts  associated  with  natural  and  manmade  disasters  and  that  inaction 
related  to  Cl  protection  and  more  importantly,  resiliency  planning  is  more  costly. 

This  thesis  suggests  three  major  recommendations  for  better  alignment  of  federal, 
state,  and  local  critical  infrastructure  planning. 

•  Strengthen  the  relationship  between  federal,  state,  and  local  critical 
infrastructure  planning.  This  can  be  accomplished  by  1)  Redefining  the 
CIKR  reporting  process  from  a  “top  down”  to  an  “up  and  down” 
information  flow  and  2)  Implementing  the  goals  and  objectives  related  to 
information  sharing  at  the  state  and  local  Levels  as  identified  in  the 
National  Strategy  for  Information  Sharing  and  Safeguarding.^ 

•  Link  hazard  mitigation  planning  with  national  infrastructure  protection 
and  resiliency  planning.  Each  planning  process  focuses  on  a  risk 
assessment  strategy  for  assessing  and  identifying  critical  assets,  networks, 
and  systems.  This  recommendation  suggests  the  development  of  a 
“hybrid”  planning  process  incorporating  key  elements  of  hazard  mitigation 
planning  and  the  NIPP. 

•  Create  standard  asset  definitions  for  all  CIKR  sectors.  Creating  a  standard, 
scalable  consequence  based  criteria  will  provide  clear  guidance  for 
developing  CIKR  lists  at  the  federal,  state  and  local  Level.  Consequence 
definitions  will  allow  planner  at  all  Levels  to  assess  assets,  systems,  and 
networks  in  a  uniform  manner  and  in  most  cases  are  easier  to  identify. 


^Office  of  the  Inspector  General,  U.S.  Department  of  Homeland  Security,  Survey  of  Hazard  Mitigation 
Planning,  2012,  http://www.oig.dhs.gov/assets/Mgmt/2012/OIG  12-109  Augl2.pdf 

^  Office  of  Budget  and  Management,  OMB  Report  on  Disaster  Relief  Funding  to  the  Committees  on 
Appropriations  and  the  Budget  of  the  U.S.  House  of  Representatives  and  the  Senate,  2011. 
http://www.whitehouse.gov/sites/default/files/omb/assets/legislative  reports/disaster  relief  report  sept201 

1  .pdf 

White  House,  National  Strategy  for  Information  Sharing  and  Safeguarding,  20 1 2, 
http://www.whitehouse.gov/sites/default/files/docs/2012sharingstrategv  l.pdf 
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I. 


INTRODUCTION 


“Emergency  Preparedness  is  a  Team  Sport”  i 
A.  PROBLEM  STATEMENT 

Most  recently,  Presidential  Policy  Directive  21  (PPD-21),  signed  by  President 
Obama  on  February  12,  2013,  redefined  the  federal  approach  from  the  current  Critical 
Infrastructure  Protection  to  Critical  Infrastructure  Security  and  Resilience?-  PPD-21 
states  the  following  among  three  strategic  imperatives; 

Refine  and  Clarify  Functional  Relationships  across  the  Federal 
Government  to  Advance  the  National  Unity  of  Effort  to  Strengthen 
Critical  Infrastructure  Security  and  Resilience 

An  effective  national  effort  to  strengthen  critical  infrastructure  security 
and  resilience  must  be  guided  by  a  national  plan  that  identifies  roles  and 
responsibilities  and  is  informed  by  the  expertise,  experience,  capabilities, 
and  responsibilities  of  the  SSAs,  other  Federal  departments  and  agencies 
with  critical  infrastructure  roles.  State,  local,  tribal  and  territorial  entities, 
and  critical  infrastructure  owners  and  operators.  ^ 

Federal  critical  infrastructure  protection  programs  pre-date  PPD-21,  including  the 
National  Infrastructure  Protection  Plan  (NIPP).  It  was  in  2008  to  address  the  national 
policy  for  critical  infrastructure  protection  and  key  resource  (CIKR)  protection 
requirements  set  forth  in  Presidential  Decision  Directive  7:  Critical  Infrastructure  (Cl) 
Identification,  Prioritization,  and  Protection  (PDD-V).^  The  primary  goal  of  the  NIPP  is 
to: 


^Eric  Whitaker,  “Preparing  for  a  Disaster,”  Dictionary  Quotes,  July  2012,  http://www. dictionary- 
quotes. com/emergencv-preparedness-is-a-team-sport-eric-whitaker/. 

2  White  House,  Presidential  Policy  Directive  21:  Critical  Infrastructure  Security  and  Resiliency, 

2013,  White  House,  http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-pohcv-directive- 
critical-infrastructure-securitv-and-resil. 

3  Ibid. 

^  White  House,  Presidential  Decision  Directive  7:  Critical  Infrastructure  Identification,  Prioritization, 
and  Protection,  2003,  Department  of  Homeland  Security,  http://www.dhs.gov/homeland-securi tv- 
presidential-directive-7. 
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...build  a  safer,  more  secure,  and  more  resilient  America  by  preventing, 
deterring,  neutralizing,  or  mitigating  the  effects  of  deliberate  efforts  by 
terrorists  to  destroy,  incapacitate,  or  exploit  elements  of  our  nation’s  CIKR 
and  to  strengthen  national  preparedness,  timely  response  and  rapid 
recovery  of  CIKR  in  the  event  of  an  attack,  natural  disaster,  or  other 
emergency. 

Recognizing  that  certain  federal,  state,  and  local  assets  can  be  critical  to  the  continuity  of 
government  operations,  the  NIPP  provides  the  framework  for  developing  critical 
infrastructure  protection  programs  for  all  Levels  of  government. 

The  NIPP  also  states,  but  does  not  mandate,  that  “State  and  local  governments  are 
responsible  for  implementing  the  homeland  security  mission,  protecting  public  safety  and 
welfare,  and  ensuring  the  provision  of  essential  services  to  communities  and  industries 
within  their  jurisdictions.”®  This  suggests  that  state  and  local  jurisdictions  are  a  major 
stakeholder  role  in  the  protection  of  Cl  and  the  development  of  asset  lists. 

This  thesis  will  analyze  the  relationship  between  the  federal  NIPP  and  local 
jurisdictions,  the  federal  methodology  for  defining  Cl,  and  the  importance  of  integrating 
local  officials  in  the  development  of  critical  infrastructure  protection  planning. 
Specifically,  research  will  seek  to  determine  how  or  if  the  federal  criteria  for  determining 
CIKR  assets  can  assist  state  and  local  governments  in  developing  CIKR  protection  and 
resiliency  plans  and  why  this  might  be  important.  Conversely,  what  role  do  state  and 
local  CIKR  protection  plans  play  within  the  federal  NIPP? 

Over  the  last  several  years  the  United  States  has  experienced  natural  and 
manmade  disasters  that  have  severely  impacted  critical  infrastructure.  For  example,  in 
2005  Hurricane  Katrina  struck  the  United  States  Gulf  Coast,  virtually  “collapsing  all 
critical  infrastructures  at  the  same  time.”^  The  White  House  Katrina  Report  described  the 
loss  of  one  sector,  the  communications  infrastructure  as  follows,  “The  complete 
devastation  of  this  infrastructure  left  first  responders  without  a  reliable  network  to  use  for 

®  U.S.  Department  of  Homeland  Seeurity,  National  Infrastructure  Protection  Plan,  2009,  Department 
of  Homeland  Seeurity,  http://www.dhs.gov/xlibrarv/assets/NIPP  Plan.pdf. 

®  Ibid.,  21. 

^  Robert  Miller,  “Hurrieane  Katrina:  Communieations  &  Infrastrueture  Impaets,”  in  Threats  at  Our 
Threshold,  2012,  http://astrumsat.eom/wp-eontent/uploads/2012/04/KatrinaHurrieaneComm.pdf. 


2 


coordinating  emergency  response.”*  The  Katrina  report  also  found  that  “Federal,  state 
and  loeal  officials  responded  to  Flurrioane  Katrina  without  comprehensive  understanding 
of  the  interdependeneies  of  the  Critical  Infrastructure  sectors  in  each  geographical  area 
and  the  potential  national  impaet  of  their  deeisions.”^ 

The  report  further  states: 

Federal,  State,  and  local  officials  need  an  implementation  plan  for  critieal 
infrastrueture  and  restoration  that  ean  be  shared  aeross  the  Federal 
government.  State  and  local  governments,  and  with  the  private  seetor,  to 
provide  them  with  the  neeessary  baekground  to  make  informed 
preparedness  deeisions  with  limited  resourees.”io 

Seven  years  later.  Super  Storm  Sandy  caused  major  damage  to  utility, 
transportation  systems,  health  eare  facilities,  water  and  waste  water  treatment  faeilities 
and  eommunications  systems  throughout  the  Atlantie  eoastal  region.  Damages  estimates 
are  in  the  billions  of  dollars.  The  Hurrieane  Sandy  Rebuilding  Task  Foree  lists 
extensive  recommendations  related  to  infrastrueture  resilieney  and  simply  states 
“examples  from  Sandy  that  illustrate  the  need  for  regional  coordination  of  resilience 
investments  were  seen  in  many  instanees.’’^^  One  reeurring  theme  amongst  the 
referenees  is  the  need  to  engage  state  and  local  jurisdictions  in  the  identification  and 
protection  of  critical  infrastructure  assets.  The  ineidents  eited  highlight  the  failures, 
despite  the  numerous  referenees  to  the  important  role  of  state  and  local  jurisdictions,  of 
proactive  CIKR  planning  at  all  Levels  of  government.  Whether  or  not  the  goal  of  Cl 
programs  is  protection  (PPD-7)  or  security  and  resilience  (PPD-21),  the  importanee  of 


*  White  House,  “The  Federal  Response  to  Hurrieane  Katrina:  Lessons  Learned,”  2006,  White  House 
Arehives,  http://georgewbush-whitehouse.arehives.gov/reports/katrina-lessons-learned/chapter5.html. 

9  Ibid.,  61. 

10  Ibid. 

11  Hurricane  Sandy  Rebuilding  Task  Force,  “Fact  Sheet:  Progress  to  Date,”  August  19,  2013,  U.S. 
Department  of  Housing  and  Urban  Development, 

http://portal.hud.gov/hudportaFHUD7srcWpress/press  releases  media  advisories/2013/HUDNo. 13-125. 

24. 

12  Ibid.,  54. 
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communicating  with,  and  including  state  and  local  jurisdictions  cannot  be  minimized. 
Each  example  above  stresses  the  importance  for  state  and  loeal  jurisdietions  to 
understand,  assess  and  identify  of  Cl  assets. 

While  Cl  assets  affected  by  any  of  the  above  incidents  might  not  have  been 
specifieally  proteeted  or  meet  the  criteria  for  protection,  it  begs  to  question  the 
effeetiveness  or  applicability  of  the  NIPP  for  state,  loeal,  tribal,  and  territorial 
governments.  The  Katrina  report  references  the  interim  NIPP  as  “providing  strategie- 
Level  guidanee  for  Federal,  State  and  local  entities  to  use  in  prioritizing  infrastrueture  for 
proteotion.”i3  However,  literature  does  not  outline  a  plan  for  implementing  plans. 

The  introduction  of  the  NIPP  states,  “Proteeting  and  ensuring  the  continuity  of  the 
Critieal  Infrastrueture  and  Key  Resourees  (CIKR)  of  the  United  States  is  essential  to  the 
Nation’s  security,  public  health  and  safety,  economic  vitality,  and  way  of  life. With 
emphasis  on  the  word  essential,  it  beeomes  clear  that  Cl  proteetion  and  resiliency 
planning  must  be  implemented  at  the  state  and  loeal  Level,  and  not  just  a  federal  effort. 
Lastly,  creating  standard  definitions  for  identifying  Cl  assets,  systems,  and  networks  will 
allow  state  and  local  governments  to  develop  Cl  protection  and  resiliency  plans  that 
augment  federal  plans. 

B.  RESEARCH  QUESTIONS 

•  To  what  extent  could  the  federal  criteria  for  identifying  federal  critical 
infrastructure  and  key  resources  apply  to  state  and  loeal  identification  of 
critical  infrastructure  and  key  resources? 

•  Should  eritieal  infrastrueture  proteetion  and  resiliency  plaiming  be 

important  to  state  and  local  governments? 

C.  ARGUMENT 

Every  community  in  this  country  has  some  asset(s),  whieh,  in  the  event  of  failure, 

would  have  a  signifieant  impact  on  the  eommunity  or  region.  Assets  eould  simply  be  a 
roadway,  community  well,  reservoir,  culvert  pipe,  or  health  care  facility  or  a  complex 

13  White  House,  “The  Federal  Response  to  Hurrieane  Katrina,”  61. 

1^  U.S.  Department  of  Homeland  Seeurity,  National  Infrastructure  Protection  Plan,  1. 
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system,  such  as  a  water  or  waste  water  treatment  facility.  In  Critical  Infrastructure 
Protection  in  Homeland  Security,  Ted  Lewis  claims,  “Critical  infrastructure  protection  is 
too  big  for  state  and  local  governments  to  handle  on  their  own”  and  “infrastructures  are, 
for  the  most  part,  national  assets. While  this  may  be  true  for  sectors,  such  as 
telecommunications,  energy  (oil,  pipeline,  electricity)  and  some  transportation  assets, 
other  sectors,  such  as  potable  water  treatment  and  delivery,  waste  water  treatment,  or 
health  care  are  located  in  and  the  responsibility  for  primary  emergency  response  often 
lies  with  local  jurisdictions. 

D,  SIGNIFICANCE  OF  THE  RESEARCH 

This  research  will  propose  to  identify  the  importance  of  engaging  local 
jurisdictions  in  the  development  of  local  definitions  for  CIKR  assets.  The  merits  of  this 
effort  and  possible  outcomes  will  be  development  of  a  CIKR  flow  model  that 
interconnects  federal,  state  and  local  definitions.  This  information  would  allow  local 
governments  to  develop  CIKR  protection  strategies,  develop  resiliency  plans,  better 
mitigate  natural  and  manmade  disasters  and  develop  partnerships  with  the  private  sector. 
Furthermore,  the  development  of  state  and  local  definitions  for  CIKR  assets  will  better 
assist  jurisdictions  with  indentifying  CIKR  and  developing  CIKR  protection  and 
resiliency  plans. 

E.  CHAPTER  OVERVIEW 

The  focus  of  this  thesis  centers  on  the  applicability  of  the  National  Infrastructure 
Protection  Program  to  local  jurisdictions.  Chapter  II  provides  a  summary  of  relevant 
literature  and  identifies  the  lack  of  available  resources  related  to  local  critical 
infrastructure  plans.  Chapter  III  will  frame  the  research  methodology  and  limitations 
used  to  answer  the  research  question.  Chapter  IV  provides  an  overview  and  comparison 
of  the  current  NIPP  and  the  expected  changes  in  the  NIPP  as  a  result  of  PPD-21.  This 
chapter  also  lays  out  one  approach  to  critical  infrastructure  protection  planning  through  a 
case  study  on  the  state  of  New  Hampshire  Critical  Infrastructure  Protection  Program. 

Ted  G.  Lewis,  Critical  Infrastructure  Protection  in  Homeland  Security  (Hoboken,  NJ:  John  Wiley 
&  Sons,  2006),  10. 
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Chapter  V  will  summarize  the  key  findings  and  offer  recommendations  for  improving 
critical  infrastructure  protection  and  resiliency  programs  for  local  jurisdictions.  Lastly, 
Chapter  VI  will  present  some  final  thoughts  on  critical  infrastructure  protection  and 
resiliency  and  suggest  future  research  topics. 

F.  CONCLUSION 

No  matter  who  owns  critical  infrastructure  assets,  private  companies,  federal, 
state  or  local  governments,  most  of  these  assets  will  have  some  contact  with  local 
jurisdictions.  History  has  proven  that  many  local  jurisdictions  are  ill  prepared  to  respond 
to,  protect  or  assist  in  the  recovery  of  these  key  assets  and  therefore  must  be  engaged  in 
the  development  of  CIKR  asset  lists  at  all  Levels  of  government.  Furthermore,  Cl 
protection  and  resiliency  planning  must  include  an  “all-hazards”  approach.  Of  the  787 
major  disaster  declarations  for  the  years  2001-2013,  only  two  can  be  attributed  to 
terrorism.  Without  diminishing  the  effects  of  a  terrorist  event,  this  statistic  suggests  that 
communities  are  much  more  likely  to  experience  a  natural  disaster  over  a  terrorist  attack. 


16  Federal  Emergeney  Management  Ageney,  “Disaster  Deelarations,”  Federal  Emergeney 
Management  Ageney,  aeeessed  August  14,  2013,  http://www.fema. gov/disasters/ grid/vear. 
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II.  LITERATURE  REVIEW 


According  to  the  2003  State  Ojficials  Guide  to  Critical  Infrastructure  Protection 
(CIP),  there  are  75,000+  state  and  locally  owned  dams  and  reservoirs,  700,000+  miles  of 
drinking  water  networks,  5,800+  hospitals,  over  87,000  emergency  service/law 
enforcement  ageneies,  104  eommereial  nuelear  power  plants,  100,000+  miles  of  railroad 
and  5,000+  public  airports  and  many  other  identified  critical  infrastructure  located 
throughout  the  United  States  4^  While  the  federal  government  has  an  interest  in 
protecting  Cl  of  national  significance,  most  of  the  Cl  above  is  located  in  local 
jurisdictions.  This  places  tremendous  responsibility  for  protecting  Cl  assets  on  state  and 
local  jurisdictions. 

The  materials  reviewed  include;  government  reports,  federal  infrastructure 
protection  guidance  documents,  state  homeland  seeurity  strategies,  federal  hazard 
mitigation  planning  guides  and  foundation  reports. 

A,  WHAT  IS  CRITICAL  INFRASTRUCTURE? 

While  infrastruetures  have  always  been  important  at  the  federal,  state,  and  local 
Levels,  eritical  infrastructure  identification  dates  back  several  hundred  years  with  the 
development  of  systems,  such  as  the  postal  service  that  “sustain  our  way  of  life.”i^ 
However,  formal  definitions  were  not  developed  until  the  late  1990s  In  May  1998, 
President  Clinton  issued  Presidential  Decision  Directive/NSC  63  (PPD-63),  which 
defines  Cl  as,  “those  physical  and  cyber-based  systems  essential  to  the  minimum 
operations  of  the  eeonomy  and  government.  They  include,  but  are  not  limited  to 
telecommunieations,  energy,  banking  and  finance,  transportation,  water  systems  and 
emergency  services,  both  governmental  and  private.” This  directive  identified  a  total 


Council  of  State  Governments,  “State  Officials  Guide  to  Critical  Infrastructure,”  2003,  Council  of 
State  Governments  http://www.csg.org/knowledgecenter/docs/SOG03CriticalInfrastructure.pdf 

Ibid,  p.4 

White  House,  Presidential  Decision  Directive/NSC  63,  1998,  Federation  of  American  Scientists, 
http://www.fas.org/irp/offdocs/pdd/pdd-63.htm. 
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of  10  specific  sectors  with  liaisons  and  four  special  topic  areas. The  directives  outlined 
in  PPD-63  were  a  result  of  the  recommendations  by  the  President’s  Commission  on 
Critical  Infrastructure  Protection  (PCCIP).  The  PPCIP  was  established  in  1996  was 
tasked  with  reporting  to  the  president  on  the  threats  and  vulnerabilities  to  the  nation’s 
critical  infrastructure. 21 

The  Department  of  Homeland  Security  has  adopted  the  definition  from  the  U.S. 
PATRIOT  Act,  which  defines  Cl  as  “the  assets,  systems,  and  networks,  whether  physical 
or  virtual,  so  vital  to  the  United  States  that  their  incapacitation  or  destruction  would  have 
a  debilitating  effect  on  security,  national  economic  security,  public  health  or  safety,  or 
any  combination  thereof.”22  This  definition  amended  to  include  intentional  acts  as  a 
result  of  the  terrorist  attacks  of  September  11,  2001.  While  the  definitions  in  PPD-63  and 
the  PATRIOT  Act  are  very  similar,  the  definition  provided  in  Presidential  Decision 
Directive/NSC  63  was  developed  in  the  “structure  for  implementing  Cl  policy  and  a 
limited  scope  in  the  specific  sectors. ”23  The  United  States  PATRIOT  Act  definition 
provides  for  a  broader  spectrum  of  Cl  assets  and  threats  and  led  to  the  expansion  of  the 
Cl  sectors  to  18. 

B.  FEDERAL  GUIDANCE 

In  2005,  the  United  States  Department  of  Homeland  Security  released  the  Interim 
National  Infrastructure  Protection  Plan  (INIPP)  as  a  “starting  point  for  developing  the 
national,  cross-sector  plan  for  Critical  Infrastructure  Protection.  ”24  This  plan  identified 
17  Cl  asset  sectors  and  assigned  each  sector  to  a  “sector  specific”  agency.  Sector  specific 
agencies  are  responsible  for  identifying  sectors  assets,  systems,  and  networks. 


20  Ibid. 

21  President’s  Commission  on  Critical  Infrastructure  Protection,  “Critical  Foundations — Protecting 
America’s  Infrastructure,”  1997,  Federation  of  American  Scientists, 
http://www.fas.org/sgp/librarv/pccip.pdf 

22  Department  of  Homeland  Security,  “Critical  Infrastructure  Protection,”  Department  of  Homeland 
Security,  http : //www . dhs .  gov/ critical- infrastructure . 

23  Council  of  State  Governments,  “State  Officials  Guide  to  Critical  Infrastructure,”  5. 

24  U.S.  Department  of  Homeland  Security,  Interim  National  Infrastructure  Protection  Plan,  2005, 
Educase,  http://net.educause.edu/ir/hbrarv/pdf/csd3754.pdf. 
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interdependencies,  and  for  establishing  risk  assessment  guidelines  for  the  sector. 
Furthermore,  this  plan  listed  the  following  as  key  stakeholders  and  partnerships: 
Department  of  Homeland  Security;  sector-specific  agencies;  private  sector;  and  state, 
local,  and  tribal  entities.  25  Goal  4  of  the  INIPP  states,  “Build  Partnerships  among  Federal, 
State,  local,  tribal,  international,  and  private  sector  stakeholders  to  implement  Critical 
Infrastructure  Protection  Programs. ”26  This  would  suggest  that  collaborative  approach  is 
needed  to  develop  effective  CIKR  protection  plans. 

The  National  Infrastructure  Protection  Plan  was  released  in  2008  to  address  the 
national  policy  for  critical  infrastructure  protection  and  key  resource  protection  (CIKR) 
requirements  set  forth  in  Presidential  Decision  Directive  7:  Critical  Infrastructure 
Identification,  Prioritization,  and  Protection  (PDD-7).22  The  NIPP  emphasizes  the 
inclusion  of  key  partners,  such  as  state,  local,  tribal  and  territorial  governments  for  the 
implementation.  28  The  theme  of  specifically  including  state  and  local  governments  pre¬ 
dates  the  Interim  NIPP  and  the  2008  NIPP.  The  earliest  reference  found  in  GAO-OI-323, 
Critical  Infrastructure  Protection  states: 

The  January  2000  National  Plan  for  Information  Systems  Protection,  the 
role  of  the  federal  government  is  to  encourage  nonfederal  entities  (the 
private  sector  and  state  and  local  governments)  to  organize  themselves  for 
efficient  information  exchange  about  cyber  threats  and  incidents. 29 

State  and  local  jurisdictions  are  identified  as  “key  stakeholders”  in  the  effort  to  protecting 
Critical  Infrastructure  and  sharing  information  related  to  threats,  vulnerabilities,  and 
consequences  associated  with  failure  of  CL 

Furthermore,  the  NIPP  and  PDD-7  identifies  18  sectors  for  CIKR  and  assigns 
each  a  “sector-specific  agency”  that  is  responsible  for  developing  federal  CIKR  sector 


25  Ibid,  p.4 

26  Ibid.,  8 

22  White  House,  Presidential  Decision  Directive  7. 

28  U.S.  Department  of  Homeland  Seeurity,  National  Infrastructure  Protection  Plan,  2. 

29  General  Aeeounting  Offiee,  Critical  Infrastructure  Protection  (GAO-01-323),  2001,  Homeland 
Seeurity  Digital  Library,  https://www.hsdl.org/?view&did=197. 
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specific  criteria.30  For  example,  the  water  sector  has  been  assigned  to  the  Environmental 
Protection  Agency  (EPA).3i  EPA  has  established  the  criteria  for  determining  nationally 
significant  assets  in  the  water  sector  in  a  sector-specific  plan.  32  Each  sector-specific 
agency  is  then  responsible  for  developing  criteria  for  defining  Cl  within  the  sector.  Eor 
example,  in  order  to  meet  the  federal  tier  Levels,  critical  water  treatment  facilities  are 
assessed  based  on;  1)  population  served;  2)  on-site  gaseous  chlorine  storage;  3)  Economic 
loss  impact;  and  4)  critical  customers  served.  33 

The  benefits  of  implementing  the  NIPP  are  listed  as:  34 

•  Understanding  of  CIKR  assets,  systems,  networks,  and  facilities,  and  other 
capabilities  through  industry  ownership  and  management  of  a  vast 
majority  of  CIKR  in  most  sectors; 

•  Ability  to  take  action  to  reduce  risk  and  to  respond  to  and  recover  from 
incidents; 

•  Ability  to  innovate  and  to  provide  products,  services,  and  technologies  to 
quickly  focus  on  mission  needs;  and 

•  Robust  relationships  that  are  useful  for  sharing  and  protecting  sensitive 
information  regarding  threats,  vulnerabilities,  countermeasures,  and  best 
practices. 

Despite  numerous  references  to  state  and  local  partners  and  stated  benefits,  clear 
guidance  for  defining  critical  assets,  networks,  and  systems  for  State  and  local 
jurisdictions  is  absent. 

C.  STATE  STRATEGIES  FOR  CIKR  PROTECTION 

A  limited  review  of  readily  available  state  homeland  security  strategies  and  state 
critical  infrastructure  protection  programs  for  New  Hampshire,  Vermont,  Massachusetts, 
Kansas,  New  Mexico,  Missouri,  Virginia,  and  Pennsylvania  demonstrates  that 


30  U.S.  Department  of  Homeland  Security,  National  Infrastructure  Protection  Plan,  1. 

31  Ibid. 

32  U.S.  Environmental  Protection  Agency,  Water  Sector-Specific  Plan,  2010,  U.S.  Department  of 
Homeland  Security,  http://www.dhs.gov/xlibrarv/assets/nipp-ssp-water-2010.pdf 

33  Brandon  Wales,  2009  Tier  I  and  II Data  Call  (Washington,  DC:  U.S.  Department  of  Homeland 
Security,  2009)  (Restricted  document). 

34  U.S.  Department  of  Homeland  Security,  National  Infrastructure  Protection  Plan,  10. 
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establishing  and/or  classifying  Cl  at  the  state  Level  is  a  priority.  35  The  focus  and  scope 
of  the  plans  vary.  For  example,  Virginia’s  program  mirrors  the  federal  plan  by  assigning 
sector-specihc  agencies  who  are  charged  with  developing  state  criteria. 36  New  Mexico 
places  a  large  emphasis  on  public-private  collaboration  but  does  not  develop  sector 
dehnitions.  Furthermore,  New  Mexico  suggests  that  the  federal  strategy  promotes  “stove¬ 
piping”  and  may  limit  vital  communications  amongst  the  sectors. 37  In  addition, 
Massachusetts  strategy  lists  a  goal  of  “creating  a  common  operating  picture  among 
homeland  security  and  public  safety  stakeholders. ”38  The  objective  related  to  Cl  is  the 
“Commonwealth  must  be  committed  to  providing  a  statewide  coordinated  approach  to 
the  identihcation,  prioritization  and  protection  of  critical  infrastructure  and  key  resources 
and  that  information  must  be  shared  with  important  stakeholders  and  emergency  response 

personnel. ”39 

Another  plan,  the  state  of  Vermont  homeland  security  strategy,  establishes  one 
goal  “Sustain  the  NIPP  in  Vermont”  and  one  objective,  “Implement  the  Vermont 


35  Kansas  Division  of  Emergency  Management,  “Kansas  State  Homeland  Security  Strategy  Goals  and 
Objectives,”  2009,  http://www.accesskansas.org/kdem/EMSWeb/pdf/librarv 

/State%20Strategv%20Fall%202009%20FINAL  1  .pdf;  D.  J.  O’Neil,  “Statewide  Critical  Infrastructure 
Protection:  New  Mexico’s  Model,”  TR  News,  no.  211  (2000); 

http://onlinepubs.trb.org/onlinepubs/trnews/trnews2 1 1  .pdf;  Office  of  the  Inspector  General,  U.S. 
Department  of  Homeland  Security,  State  of  Missouri ’s  Management  of  State  Homeland  Security  Program 
and  Urban  Areas  Security  Initiative  Grants  Awarded  during  Fiscal  Years  2005  through  2007,  2010,  Office 
of  the  Inspector  General,  http://www.oig.dhs.gov/assets/Mgmt/OIG  10-33  Janl0.pdf;  State  of  New 
Hampshire,  Department  of  Safety,  State  of  New  Hampshire  Homeland  Security  CI/KR  Identification 
Report,  March  10,  2008,  (For  official  use  only);  E.  V.  Jones,  V.  J.  Lyford,  M.  K.  Qazi,  N.  J.  Solan,  Y.  Y. 
Haimes,  Virginia 's  Critical  Infrastructure  Protection  Study,  2003, 

http://ieeexplore.ieee.org/xpl/abstractAuthors.isp?tp=&arnumber=1242416&urLhttp%3A%2F%2Fieeexpl 

ore.ieee.org%2Fiel5%2F8798%2F27841%2F0 12424 16;  Office  of  the  Inspector  General,  U.S.  Department 
of  Homeland  Security,  Commonwealth  of  Pennsylvania ’s  Management  of  State  Homeland  Security 
Program  and  Urban  Areas  Security  Initiative  Grants,  2011,  http://www.oig.dhs.gov/assets/Mgmt/OIG  11- 
109  Sepll.pdf;  Commonwealth  of  Massachusetts,  Executive  Office  of  Public  Safety  and  Security, 
Commonwealth  of  Massachusetts  Homeland  Security  Strategy,  2007, 

http://www.mass.gOv/eopss/docs/helpus-helpvou/state-homeland-securitv-strategv-092307.pdf;  State  of 

Vermont  Division  of  Emergency  Management  and  Homeland  Security,  Vermont  Homeland  Security 
Strategy,  2012, 

http://hsu.vermont.gOv/sites/vhs/files/2013%20Vermont%20State%20Strategv%20FINAL%20101512.pdf. 

36  E.  V.  Jones  et  ah,  Virginia ’s  Critical  Infrastructure  Protection  Study  (2003). 

37  O’Neil,  Statewide  Critical  Infrastructure  Protection. 

38  Commonwealth  of  Massachusetts,  Executive  Office  of  Public  Safety  and  Security,  Commonwealth 
of  Massachusetts  Homeland  Security  Strategy,  6. 

39  Ibid.,  12. 
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Infrastructure  Protection  Plan  (VIPP)”  related  to  Cl  protection.  scope  of  the  VIPP 

is  to  “employ  an  all-hazards  approach  to  identify  and  protect  CIKR  with  statewide, 
regional  or  national  implications  that  if  lost  or  disrupted  would  have  a  significant 
detrimental  impact.”4i  Vermont’s  infrastructure  plan  mirrors  the  NIPP  by  assigning 
sector  specific  agencies  for  18  sectors.  The  plan  defines  the  scope  of  each  sector  and 
identifies  some  assets  deemed  critical. ^2  Finally,  New  Hampshire  does  follow  the  federal 
strategy  by  assigning  sector-specific  agencies,  but  it  limits  the  possibility  of  “stove¬ 
piping”  by  having  all  sectors  report  back  to  a  main  Cl  committee.  Additionally,  New 
Hampshire  has  further  developed  definitions  for  identifying  Cl  assets  that  are  critical  to 
the  state  or  region. ^3  This  can  assist  the  state  in  developing  Cl  protection  plans  and 
allocating  grant  monies  for  buying  down  risk. 

D.  LOCAL  CIKR  DEFINITIONS 

While  mueh  of  the  literature  reviewed  acknowledges  that  most  Cl  is  loeated  in 
local  jurisdictions  and  stresses  the  importance  of  engaging  local  authorities,  there  is  little 
information  on  the  processes  and/or  suggested  criteria  for  developing  local  CIKR 
definitions  or  asset  lists.  A  2008  DHS  guide  for  CIKR  suggests  that  “states,  regions  and 
communities  may  contain  CIKR  that  are  very  important  to  the  local  economy  and  the 
safety  and  confidenee  of  the  population,  even  if  they  are  not  nationally  signifioant.”44 
Much  of  the  literature  reviewed  suggests  that  states  are  encouraged  to  work  with  local 
jurisdictions  to  develop  CIKR  protection  plans.  With  this  said  the  membership  of  the 
State,  Local,  Tribal  and  Territorial  Government  Coordinating  Council  (SLTTGCC), 


State  of  Vermont  Division  of  Emergency  Management  and  Homeland  Security,  Vermont  Homeland 
Security. 

State  of  Vermont  Division  of  Emergency  Management  and  Homeland  Security,  Vermont 
Infrastructure  Protection  Plan,  2009,  http://vem.vermont.gov/local  state  plans/eop. 

42  Ibid.,  32^2. 

43  State  of  New  Hampshire,  Department  of  Safety,  State  of  New  Hampshire  Homeland  Security  CI/KR 
Identification  Report. 

44  U.S.  Department  of  Homeland  Security,  A  Guide  to  Critical  Infrastructure  and  Key  Resources 
Protection  at  the  State,  Regional,  Local,  Tribal  and  Territorial  Level,  2008,  U.S.  Department  of  Homeland 
Security,  http://www.dhs.gov/xlibrarv/assets/nipp  srtltt  guide.pdf. 
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established  in  2007  in  the  implementation  of  the  National  Infrastructure  Protection  Plan, 
includes  only  six  local  cities  or  towns  as  of  August  201 1.^^ 

Natural  hazard  mitigation  planning,  which  is  mandatory  for  state  and  local 
governments  to  be  eligible  for  receiving  non-emergency  disaster  assistance,  is  one 
process  that  may  be  looking  at  CIKR  assets  but  in  the  context  of  natural  disasters  and  not 
terrorism.  Natural  hazard  mitigation  planning  is  “the  process  of  figuring  out  how  to 
reduce  or  eliminate  the  loss  of  life  and  property  damage  resulting  from  natural 
hazards. While  this  type  of  planning  does  not  meet  the  individual  sector  designations 
found  in  federal  and  state  guidance  or  specifically  address  “human  caused”  disasters,  this 
process  does  categorize  “critical  buildings  and  facilities”  in  five  areas;  1)  essential 
facilities;  2)  transportation  systems;  3)  life-line  utility  systems;  4)  high  potential  loss 
facilities;  and  5)  hazardous  materials  facilities.  While  these  plans  only  address  protection 
from  natural  hazards,  leveraging  the  process  and  definitions  may  assist  local  jurisdictions 
in  developing  Cl  protection  and  resiliency  plans.  The  Federal  Emergency  Management 
Agency  (FEMA)  suggests  there  are  numerous  benefits  to  hazard  mitigation  planning: ^7 

•  Identifying  cost  effective  actions  for  risk  reduction  that  are  agreed  upon  by 
stakeholders  and  the  public; 

•  Focusing  resources  on  the  greatest  risks  and  vulnerabilities; 

•  Building  partnerships  by  involving  people,  organizations,  and  businesses; 

•  Increasing  education  and  awareness  of  hazards  and  risk; 

•  Communicating  priorities  to  state  and  federal  officials; 

•  Aligning  risk  reduction  with  other  community  objectives. 

Communities  participating  in  hazard  mitigation  planning  are  in  fact  determining 

what  assets,  systems,  and  networks  are  critical  to  the  continuity  of  local  government 

State,  Local,  Tribal  and  Territorial  Government  Coordinating  Council,  “SLTTGCC  Fact  Sheet,” 

201 1,  U.S.  Department  of  Flomeland  Security,  http://www.dhs.gov/xlibrarv/assets/slttgcc-factsheet-5Q8- 
2Qll-Q8-19.pdf 

46  Federal  Emergency  Management  Agency,  State  and  Local  Hazard  Mitigation  Planning — How-to 
Guide,  2001,  Federal  Emergency  Management  Agency, 

http  ://www.  fema.  gov/hbrarv/viewRecord.do?id=  1880. 

47  Federal  Emergency  Management  Agency,  “Flazard  Mitigation  Planning,”  Federal  Emergency 
Management  Agency,  accessed  September  14,  2013,  http ://www. fema. gov/multi-hazard-mitigation- 
planning. 
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operations  and  will  realize  the  benefits  above.  In  essence,  local  jurisdictions  are  arguably 
developing  CIKR  protection  and  resiliency  plans  if  they  are  participating  in  hazard 
mitigation  planning. 

E.  CONCLUSION 

The  limited  information  available  related  to  implementing  and  defining  critical 
infrastructure  at  the  local  Level  supports  the  need  for  further  research  to  answer  the 
following  questions; 

1 .  Is  there  a  need  to  develop  definitions  for  assisting  local 
governments  to  assess  and  identify  CIKR? 

2.  What  value  do  identifying  Critical  Infrastructure  assets  provide  for 
local  jurisdictions? 

3.  How  do  the  federal,  state  and  Local  CIKR  definitions  intersect? 

In  a  2005  Homeland  Security  Affairs  article,  “Potholes  and  Detours  in  the  Road  to 
Critical  Infrastructure  Protection  Policy,”  the  authors  suggest  that  “the  federal 
government  take  greater  responsibility  (and  control)  over  state  and  local  decisions” 
related  to  CI.'^*  While  this  may  better  develop  federal  Cl  asset  lists  and  better  address 
sectors  with  an  interstate  impact,  it  is  important  to  remember  that  all  responses  to  natural 
and  manmade  disasters  begin  at  the  local  Level.  Local  jurisdictions  should  have  an 
interest,  and  a  voice  in  how  they  deploy  resources,  both  physical  and  financial,  in  the 
protection  of  their  communities.  Conversely,  local  jurisdictions  must  understand  the 
importance  of  protecting  CIKR  and  developing  resiliency  plans  with  less  reliance  on  state 
and  federal  governments.  CIKR  protection  is  a  local  problem. 


Ted  G.  Lewis  and  Rudy  Darken,  “Potholes  and  Detours  in  the  Road  to  Critieal  Infrastrueture 
Proteetion  Poliey,”  Homeland  Security  Affairs,  1,  no.  2  (2005),  http://www.hsai. org/?artiele=l. 2.1. 
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III.  RESEARCH  METHODOLOGY 


A.  RESEARCH  METHOD 

1,  Objective 

The  purpose  of  this  researeh  was  to  conduet  an  analysis  of  the  existing  federal 
Critical  Infrastructure  and  Key  Resources  Protection  Program  to  determine  the  overall 
effectiveness  and  applicability  of  this  program  for  identifying  and  protecting  CIKR  assets 
at  the  state  and  local  Level,  and  to  make  recommendations  for  improvement. 
Furthermore,  this  research  performed  a  case  study  of  the  state  of  New  Hampshire  model 
for  identifying  CIKR  assets  at  the  state  Level. 

2,  Sample  Selection 

First,  as  the  foundation  for  developing  CIKR  protection  plans,  the  Department  of 
Homeland  Security  (DHS)  released  the  National  Infrastructure  Protection  Plan  in  2008 
to  address  the  national  policy  for  critical  infrastructure  protection  and  key  resource 
protection  (CIKR)  requirements  as  set  forth  in  Presidential  Decision  Directive  7  (PDD- 
7):  Critical  Infrastructure  Identification,  Prioritization,  and  Protections^  PDD-7 
identifies  18  sectors  for  CIKR  and  assigns  each  a  “sector-specific  agency,”  which  is 
responsible  for  developing  federal  CIKR  sector  specific  criteria.  Secondly,  the  state  of 
New  Hampshire,  via  a  subcommittee  of  the  Governor’s  Advisory  Council  on  Emergency 
Preparedness  and  Security  (ACEPS),  has  reviewed  the  federal  criteria  for  identifying 
CIKR  assets  and  has  developed  definitions  for  defining  assets  that  are  critical  to  the 
state.  Lastly,  an  analysis  of  alternative  community  preparedness  programs  and  state 
homeland  security  strategies  was  conducted  to  determine  whether  these  methodologies 
can  be  applied  to  state  and/or  local  CIKR  protection  programs. 


White  House,  Presidential  Decision  Directive  7. 

50  State  of  New  Hampshire,  Department  of  Safety,  State  of  New  Hampshire  Homeland  Security  CI/KR 
Identification  Report  (restrieted-aeeess  doeument). 
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3. 


Data  Sources 


Research  data  sources  included  the  NIPP,  government  reports  and  state  homeland 
security  strategies.  Furthermore,  data  was  collected  via  an  information  request  to  each  of 
New  England  states’  Department  of  Homeland  Security  to  gather  data  related  to  each 
state’s  homeland  security  strategy  and  state-specific  critical  infrastructure  protection 
programs. 

4.  Analysis 

Analysis  included  a  review  of  the  strengths  and  weaknesses  of  the  NIPP  as  it 
relates  to  CIKR  definitions  at  the  state  and  local  Level.  Further  analysis  sought  to  identify 
the  relationships  between  the  sample  selections  and  to  identify  potential  gaps  in  the 
applicability  to  state  and  local  CIKR  protection  planning.  Furthermore,  a  case  study  of 
the  state  of  New  Hampshire  CIKR  program  was  performed  to  compare  this  program  to 
the  NIPP  and  the  federal  criteria  for  CIKR  asset  identification. 

5,  Output 

Through  process  modeling  this  research  sought  to  identify  a  model  framework  for 
developing  a  local  CIKR  protection  program  and  defining  assets  that  are  critical  to  local 
jurisdictions. 

B,  RESEARCH  LIMITATIONS 

The  analysis  of  relevant  data  included  the  need  to  review  state  homeland  security 
strategies  as  the  basis  for  data  related  to  critical  infrastructure  protection  planning  efforts 
at  the  state  Level.  Upon  searching  the  literature,  there  were  a  very  limited  number  of  state 
strategies  available  as  open  source  documents.  In  an  effort  to  maintain  a  manageable 
quantity  of  data,  the  New  England  region  was  selected.  Additionally,  research  found  no 
local  CIKR  protection  planning  strategies.  Lastly,  some  data  sources  reviewed  were 
labeled  as  “For  Official  Use  Only”  and  therefore  not  open  source  documents.  The  author 
chose  to  purposely  not  include  specific  data  related  to  these  documents  in  an  effort  to 
maintain  this  thesis  as  an  open  source  document. 
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IV.  SUMMARY  OF  DATA 


A,  FEDERAL  CRITICAL  INFRASTRUCTURE  PROTECTION  PROGRAM 

This  section  will  review  the  criteria  for  assessing  and  prioritizing  assets,  systems, 
and  networks  for  the  federal  sectors-specific  plans  (SSP)  for  the  sectors  identified  in 
PPD-21  and  the  applicability  of  these  criteria  to  State  and  local  jurisdictions.  The 
Government  Facilities  Sector-Specific  plan  has  not  been  included  as  is  not  available  as  an 
open  source  document.  Each  of  the  SSP’s  utilizes  the  National  Infrastructure  Protection 
Plan  Risk  Management  Framework  for  developing  their  respective  sectors  plan. 

The  Risk  Management  Framework  lays  the  foundation  for  the  steps  in  developing 
the  sector  specific  plans.  The  key  components  are:  setting  goals  and  objectives;  identify 
assets,  systems,  and  networks;  assess  risk;  prioritize  assets,  systems,  and  networks; 
implement  programs;  and  measure  effectiveness, 


Assess 

Risks 

(Consequences. 
Vulnerabilities, 
and  Threats) 


Set  Goals 
and 

Objectives 


Identify  Assets, 
Systems, 
and  Networks 


Implement 

Programs 


Measure 

Effectiveness 


Prioritize 


Physical 


Figure  1 .  NIPP  Risk  Management  Framework52 


B.  SETTING  GOALS  AND  OBJECTIVES 

The  NIPP  states,  “Achieving  robust,  protected,  and  resilient  infrastructure 
requires  national,  state,  local,  and  sector-specific  CIKR  protection  visions,  goals,  and 


U.S.  Department  of  Homeland  Security,  National  Infrastructure  Protection  Plan,  28. 
52  Ibid.,  27. 
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objectives  that  describe  the  desired  risk  management  posture. Furthermore,  the  NIPP 
states  that  the  risk  management  framework  supports  this  goal  by  “enabling  the 
development  of  the  national,  State,  regional  and  sector  risk  profiles”  and  “enabling  DHS, 
SSA’s,  and  other  partners  to  reduce  the  potential  consequences,  threats,  or  vulnerabilities 
to  CIKR.54 

C.  IDENTIFY  ASSETS,  SYSTEMS,  AND  NETWORKS 

The  Department  of  Homeland  Security  maintains  an  inventory  of  the  nation’s 
CIKR  assets,  systems  and  networks.  Each  sector-specific  agency  is  responsible  for 
working  with  owners  and  operators  of  Cl,  sector  coordinating  councils  (SCC),^®  and 
other  sources  to  develop  the  inventories  of  sector  assets,  systems  and  networks. The 
individual  sector  lists  are  used  to  populate  the  nation’s  inventory  of  critical  assets, 
networks,  and  systems.  Other  mechanisms  described  for  developing  Cl  inventories 
include;  voluntary  submittals;  study  results;  ongoing  reviews  of  high  risk  locations;  and 
the  DHS  National  Critical  Infrastructure  Prioritization  Program  (NICPP)  data  call.^s 

The  NCIPP  data  call  is  an  annual,  voluntary  request  to  state,  territorial  and 
Federal  CIKR  partners,  in  which  Cl  assets,  systems  or  networks  are  “nominated”  for 
inclusion  in  the  Federal  inventory.  According  to  DHS,  the  main  goals  of  the  NCIPP  are 
to:  (I)  identify  infrastructure  critical  to  the  nation’s  public  health  and  safety,  economic,  or 
national  security;  (2)  better  prioritize  assets,  systems,  and  networks  so  as  to  allow  DHS  to 
more  efficiently  allocate  resources;  and  (3)  focus  planning,  foster  coordination,  and 


53  Ibid.,  28. 

54  Ibid. 

55  Ibid.,  29. 

5®  Sector  Coordinating  Council  has  self-organized  membership  and  should  be  representative  of  a  broad 
base  of  owners,  operators,  associations,  and  other  entities — both  large  and  small — within  a  sector.  U.S. 
Department  of  Homeland  Security,  National  Infrastructure  Protection  Plan,  55. 

57  Ibid.,  30. 

58  Ibid. 

59  Ibid. 
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support  preparedness  efforts  for  ineident  management,  response,  and  restoration  aetivities 
by  developing  a  eollaborative  relationships  amongst  all  stakeholders.®^ 

1,  Assess  Risk 

The  NIPP  suggests  that  CIKR  seetors  assess  risk  in  the  context  of  consequence, 
vulnerability,  and  threat. 


Risk  =  Consequence  x  Vulnerability  x  Threat 

•  Consequence  can  be  viewed  as  the  overall  effects  of  an  incident. 
Typical  examples  can  include  loss  of  life  or  injuries,  property  loss,  fear 
instilled  in  a  population,  or  impact  to  government  operations. 

•  Vulnerability  can  be  defined  as  a  weakness  that  could  result  in  the  success 
of  any  of  the  above  consequences. 

•  Threat  is  often  the  most  difficult  to  determine  but  can  be  defined  as 
“natural  or  manmade  occurrence,  individual,  entity,  or  action  that  has  or 
indicates  the  potential  to  harm  life,  information,  operations,  the 
environment,  and/or  property.”  ®2 

Examples  of  threat  can  be  specific  intelligence  related  to  an  attack  on  a  community  or 
infrastructure  or  the  forecast  of  a  severe  weather  event  to  impact  a  community. 

2,  Prioritize  Assets,  Systems,  and  Networks 

This  process  “involves  aggregating,  combining,  and  analyzing  risk  assessment 
results  to  determine  which  assets,  systems,  networks,  sectors,  or  combinations  of  these 
face  the  highest  risk  so  that  risk  management  priorities  can  be  established.”®^  The  NCIPP 
has  developed  criteria  to  prioritize  high-risk  federal  assets,  systems  or  networks  as  either 
Level  1  or  Level  2  based  on  consequence  in  four  areas;  fatalities,  economic  loss,  mass 
evacuation  length,  and  degradation  of  national  security.  ®4  In  order  for  an  asset,  system  or 
network  to  be  included  on  the  Level  1  or  2  lists  it  must  meet  two  of  the  four  consequence 

®*^  Government  Aceountability  Office,  Critical  Infrastructure  Protection:  DHS  List  of  Priority  Assets 
Needs  to  Be  Validated  and  Reported  to  Congress  (GAO- 13-296),  2013,  Government  Accountability  Office, 
http://www.gao.gOv/assets/660/653300.pdf 

®^  U.S.  Department  of  Homeland  Security,  National  Infrastructure  Protection  Plan,  32. 

®2  Ibid. 

®3  Ibid.,  40. 

®'^  Government  Accountability  Office,  Critical  Infrastructure  Protection,  4. 
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thresholds.®^  This  process  is  somewhat  subjective  in  how  assets  are  placed  on  the  federal 
Cl  list.  The  consequence  thresholds  in  the  federal  data  call  are  labeled  “For  Official  Use 
Only”  (FOUO)  and  will  not  be  included  in  this  thesis  unless  they  have  been  included  in 
open-source  sector  specific  plans.  The  NCIPP  also  identifies  Level  3  for  sector  specific 
CIKR  lists  and  Level  4  for  state  and  territory  CIKR  lists.  The  sector  and  states  lists  are 
used  to  identify  CIKR,  which  are  important  to  the  sector  or  state  but  do  not  meet  Levels  1 
or  2  criteria.®® 


Sector 
Lists 

(Regionally 

Critical) 


Level  1  and  Level  2  Lists:  In  accordance  with  the  9/11  Comnilsslon  Act, 
infrastructure  capable  of  ‘national  or  regional  catastrophic  effects." 

-  Identified  through  a  national  data  call  involving  sector  and  State 
infrastructure  protection  community  partners. 


Sector  Lists:  Sector-specific  lists  of  Infrastucture  Including  Level  1  and 
Level  2  infrastructure,  as  well  as  infrastructure  critical  to  the  sector. 

-  Populated  by  the  Sector-Specific  Agencies. 


State  Lists:  State-specific  lists  of  critical  infrastucture  including  Level  1. 
Level  2.  and  Sector  List  infrastructure,  as  well  as  infrastructure  critical  to 
the  State. 

Populated  by  the  State  Homeland  Security  Advisors. 


State  Lists 

(Regionally  Crillcal) 


Foreign 
Lists 

(Regionally 
Crillcal) 


Foreign  Lists:  Foreign  infrastucture  critical  to  the  Nation's  public  health, 
economic,  and  national  security. 

—  Identified  through  a  national  data  call  involving  the  Intelligence 
Community,  sector,  and  State  partners. 


“List  of  Lists"  Approach 

Figure  2.  DHS  List  of  Lists®^ 


®®  Ibid.,  14. 

®®  U.S.  Department  of  Homeland  Security,  Food  and  Agriculture  Sector  Specific  Plan,  2010,  U.S. 
Department  of  Homeland  Security,  http://www.dhs.gov/xlibrarv/assets/nipp-ssp-food-ag-2010.pdf.  27. 

®^  U.S.  Department  of  Homeland  Security,  Communications  Sector-Specific  Plan,  2010,  U.S. 
Department  of  Homeland  Security,  http://www.dhs.gov/xlibrarv/assets/nipp-ssp-communications-2010.pdf. 
39. 
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D,  IMPLEMENT  PROTECTIVE  PROGRAMS  AND  RESILIENCY 

STRATEGIES 

Protective  programs  and  resiliency  strategies  are  designed  to  reduce  risk  by: 
preventing,  deterring,  or  mitigating  threat;  reducing  vulnerabilities  and  minimizing 
consequences.  The  NIPP  risk  management  framework  focuses  on  efficient  allocation  of 
resources.  According  to  the  NIPP,  “effective  protective  programs  and  resiliency 
strategies  must  be  comprehensive,  coordinated,  cost  effective,  and  risk  informed.”^^ 
Programs  should  not  only  include  physical  security,  but  the  cyber  and  human  related 
elements  of  CIKR.  Protective  strategies  can  include:  “implementing  operational  changes; 
physical  protection;  equipment  hardening;  cyber  security;  system  resiliency;  backup 
communications;  response  plans,  training;  and  security  upgrades. Due  to  complex  and 
geographically  distributed  assets,  systems  and  networks,  a  collaborative  program  must 
include  participation  from  CIKR  owners  and  operators:  state,  local  and  tribal  authorities; 
federal  agencies  and  sector-specific  agencies. Cost-effective  programs  and  strategies 
focus  “actions  that  offer  the  greatest  mitigation  of  risk  per  expenditure. ”^2  Risk-informed 
programs  should  attempt  to  mitigate  of  risk  by  limiting  consequence.  Consequence 
reduction  can  be  accomplished  by  reducing  loss,  reducing  vulnerability,  and/or  reducing 

threats.  ^3 

1,  Measuring  Effectiveness 

Performance  metrics  are  used  to  determine  or  evaluate  the  overall  effectiveness  of 
programs.  The  NIPP  outlines  metric  types  and  progress  indicators.  Two  metric  types, 
output  and  descriptive  data  are  suggested  to  evaluate  programs.  Output  (or  process)  data 
are  used  “to  determine  whether  specific  activities  were  performed,  track  progress  of 
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tasks,  or  report  the  output  of  a  prooess.”^^  Descriptive  data  are  “used  to  understand  sector 
resources  and  activities. Metric  progress  indicators  “utilize  sector  priorities  to  monitor 
sector  metrics  and  data.”^®  Any  or  all  of  these  measures  will  help  to  determine  resource 
allocation  and  for  the  development  of  investment  strategies. 

E.  FEDERAL  CRITICAL  INFRASTRUCTURE  SECTOR-SPECIFIC  PLANS 

The  following  section  briefly  describes  the  scope  of  each  sector,  the  strategy  for 
develop  sector-specific  asset,  system,  and  network  lists  and  the  methodology  each  sector 
identifies  for  collaborating  with  state  and  local  partners.  The  criteria  utilized  varies 
widely  from  clear,  concise  consequence  based  as  in  the  water  sector  to  the  reliance  on 
owners  and  operators  of  CIKR  or  subject  matter  experts. 

1,  Chemical  Sector 

The  chemical  sector  represents  a  “$689  billion  business  of  chemistry”  that  can  be 
divided  into  five  areas:  (1)  basic  chemistry — raw  materials  used  in  the  manufacture  or 
processes  of  products,  (2)  specialty  chemicals — products  produced  in  lower  volumes 
used  as  the  primary  ingredient  or  as  a  processing  aid  in  the  manufacture  of  products,  (3) 
agricultural  chemicals — ^used  primarily  by  farmers  as  fertilizer  or  crop  protection,  (4) 
pharmaceuticals — includes  prescription  and  over  the  counter  drugs  and  biotechnology, 
and  (5)  consumer  products — ^packaged  goods  including,  soap,  detergents,  hair  and  skin 
care  products,  cosmetics,  and  perfume. 

The  primary  method  for  collecting  sector  CIKR  high-risk  data  is  through  the 
Chemical  Facility  Anti-Terrorism  Standards  (CFATS)  regulatory  program.  CFATS 
requires  operators  of  high  risk  chemical  facility  to  perform  security  assessments  identify 
vulnerabilities,  and  develop  security  plans.  The  Chemical  Sector-Specific  Plan  has 
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developed  the  following  eriteria  for  identifying  Level  1  and  Level  2  CIKR  based  on  the 
eriteria  developed  by  the  NCIPP  (see  Table  1). 


NCIPP  Level  1 

NCIPP  Level  2 

Those  CIKR  that,  if  disrupted,  could  result  in  at  least 
two  of  the  following  consequences: 

Those  CIKR  that,  if  dismpted,  could  result  in  at 
least  two  of  the  following  consequences: 

1 .  Greater  than  5,000  prompt  fatalities. 

2.  Greater  than  $75  billion  in  first-year  economic 
consequences. 

3.  Mass  evacuations  with  a  prolonged  absence  of 
greater  than  3  months. 

4.  Severe  degradation  of  the  country’s  national 
security  capabilities,  including  intelligence  and 
defense  functions,  but  excluding  military  facilities. 

1.  Greater  than  2,500  prompt  fatalities. 

2.  Greater  than  $25  billion  in  first-year  economic 
consequences. 

3.  Mass  evacuations  with  a  prolonged  absence  of 
greater  than  1  month. 

4.  Severe  degradation  of  the  country’s  national 
security  capabilities,  including  intelligence  and 

Table  1.  Criteria  for  NCIPP  Level  1  and  Level  2  CIKR^^ 


Throughout  the  plan  the  role  of  state  governments  is  emphasized.  Specifically,  the 
sector  utilizes  the  State,  Local,  Tribal,  and  Territorial  Government  Coordinating  Council 
(SLTTGCC)  “to  engage  State  representatives  and  maintains  particularly  focused  dialogue 
with  States  regulating  the  security  of  chemical  facilities  in  their  jurisdiction.’’^^  plan 
emphasizes  the  role  of  state,  local,  tribal,  and  territorial  authorities  as  being  critical  to  Cl 
protection.  They  constitute  “the  front  line  of  defense  in  preventing  harm  and  providing 
response  when  necessary  to  secure  the  chemical  sector’s  critical  infrastructure  through 
public  safety  agencies  such  as  local  law  enforcement,  fire  and  rescue,  emergency  medical 
services,  and  emergency  management.”^!  The  chemical  sector  plan  states  that  this  sector 
has  a  history  of  working  emergency  responders  and  regulators  at  the  state  and  local 
Level,  but  there  is  no  evidence  cited  to  support  the  effectiveness  of  this  effort. 

2,  Commercial  Facilities  Sector 

The  commercial  facilities  sector  represents  eight  sub-sectors  that  have  a 
significant  influence  on  the  nation’s  economy.  For  example,  “the  retail  industry 
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conducted  more  than  $4.6  trillion  in  annual  sales  in  2008,  has  more  than  1.6  million  U.S. 
establishments  and  more  than  24  million  employees. Additionally,  the  hotel  industry 
generated  $139.4  billion  due  to  tourist  and  business  travel  in  2007,  and  commercial 
casinos  paid  more  than  $5.7  billion  in  direet  gaming  taxes  in  2008.^3  Subseetors  inelude: 

•  Entertainment  and  media — media  produetion,  print  media  and  broadeast 
media. 

•  Gaming  facilities — easinos  and  the  faeilities  assoeiated  with  the,  sueh  as, 
hotels,  eonferenee  centers,  and  shopping  eenters. 

•  Lodging — non-gaming  resorts,  hotels  and  motels,  hotel-based  eonferenee 
eenters,  and  bed-and-breakfast  establishments. 

•  Outdoors  events — amusement  parks,  fairs,  exhibitions  and  parks. 

•  Public  assembly — convention  eenters,  auditoriums,  stadiums,  arenas, 
movie  theaters,  eultural  properties,  and  other  assets  where  large  numbers 
of  people  eongregate. 

•  Real  estate — office  buildings  and  offiee  parks,  apartment  buildings, 
multi-family  towers  and  eondominiums,  self-storage  faeilities,  and 
property  management  eompanies. 

•  Retail — enelosed  malls,  shopping  eenters,  strip  malls,  and  freestanding 
retail  establishments. 

•  Sports  leagues — major  sports  leagues  and  federations  and  a  sports 
broadeasting  network.*'^ 

Criteria  for  identifying  assets,  systems,  and  networks  references  the  federal  data 
call  but  does  not  list  these  in  the  seetor-speeifie  plan.  The  sector  uses  “eonsequence- 
based”  eriteria  (e.g.,  loss  of  life,  eeonomie  impaet,  mission  disruption)  for  developing  the 
various  Level  1/Level  2  asset  lists. primary  consequenee  utilized  is  loss  of  life,  and 
then  eeonomie  impaet.  Eaeh  subseetor  also  uses  “unique  features”  to  nominate  the 
asset,  system,  or  network  for  inelusion  as  NICPP  Level  1  or  Level  2  CIKR.  For  example, 
lodging  ineludes  the  “loeation  of  the  property,  elientele,  proximity  to  high-risk 
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enterprises,  or  the  ieonie  status  of  the  hotel. Public  assembly  lists  the  “size  of  the 
facility,  amount  of  space  or  the  occupancy  load”  as  sector  specific  attributes. 

There  are  numerous  references  to  the  importance  of  state  and  local  government 
agencies  involvement  in  identifying  assets,  systems,  and  networks.  The  plan  states: 

State  and  local  first  responders,  emergency  managers,  public  health 
officials,  and  others  involved  in  homeland  security  missions  frequently 
interact  with  Critical  Facilities  Sector  owners  and  operators  in  their 
jurisdictions  to  plan  for  and  respond  to  all  manner  of  natural  and  manmade 
hazards. 

3.  Communications  Sector 

The  communications  sector  is  a  network  of  complex  wired,  wireless,  broadcast, 
cable  and  satellites  that  delivers  critical  communications  services  throughout  the  United 
States.  Services  include:  telephone;  cellular;  radio  and  television;  paging,  data,  and  voice 
services;  and  public  safety  communications  systems.^*’ 

The  communications  sector  identifies  assets,  systems,  and  networks  by  accepting 
nominations  from  any  of  the  following: 

•  Industry — private  sector  owners  of  communications  CIKR  and  industry 
partners  that  are  dependent  on  communications  for  the  delivery  of 
services; 

•  Manager/Director  of  the  National  Communications  System  (NCS); 

•  National  Communications  System  Committee  of  Principals  and  Council  of 
Representatives — responsible  for  designating  critical  government  assets  or 
critical  and  essential  operations; 

•  Cross-Sector  Communications  Dependencies — the  sector  uses  “the 
combined  cross-sector  lists  of  Level  1  and  Level  2  CIKR  to  determine 
supporting  communications  facilities  as  follows”: 
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•  Three  or  more  Level  1  or  Level  2  CIKR  through  one 

communications  facility, 

•  Nominated  assets  as  designated  by  the  sector; 

•  Emergency  Services — includes  Public  Safety  Answering 
Points  (PSAP)  and  the  Emergency  Alert  System  (EAS)  as 
nominated  by  the  Eederal  Communications  Commission 
(ECC),  DHS  Protective  Security  Advisors  or  Emergency 
Support  Eunction  Communications  representatives; 

•  High  Capacity  Assets — Major  switching  centers,  major 
underwater  cable  landings  or  telecommunications  “hotels;” 

•  Automatic  Inclusion — credible  threats  and  national  security 
implications  are  automatically  included  in  the  sector  list. 

Assets,  systems,  and  networks  are  prioritized  using  a  consequence  based  risk 
criteria  but  the  sector  is  moving  to  a  risk-based  process. Communications  assets  are 
determined  to  be  critical  based  on  location  and  the  effects  on  end  users  in  the  incident 
impact  area.  93  The  sector  link  to  local  jurisdictions  is  stated  in  goal  three  of  the  sector- 
specific  plan  as  “improving  the  sector’s  national  security  and  emergency  preparedness 
(NS/EP)  posture  with  federal,  state,  local,  tribal,  international,  and  private  sector  entities 
to  reduce  risk.”94  State  and  local  sector  relationships  include:  regulatory  issues  with  state 
public  utilities  commissions,  state  and  local  emergency  operations  centers,  and  with  first 
responders  and  911  centers. 93 

4,  Critical  Manufacturing 

The  critical  manufacturing  sector  includes  several  different  processes  that  produce 
products  and  materials.  This  sector  is  broken  into  four  areas:  primary  metals 
manufacturing;  machinery  manufacturing;  electrical  equipment  manufacturing;  and 
transportation  and  heavy  equipment  manufacturing. 96  Sector  partners  include;  federal 
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agencies,  state,  local,  tribal  and  territorial  governments;  private  sector  owners  and 
operators;  advisory  councils;  and  academia,  research  centers  and  think  tanks. 

Assets,  systems,  and  networks  are  determined  by  a  sector-wide  risk  assessment 
process  with  voluntary  participation  and  input  from  sector  partners. 98  The  sector  plan 
states  the  following  related  to  prioritizing  CIKR,  “The  sector  prioritization  process  will 
involve  aggregating,  combining,  and  analyzing  risk-assessment  results  to  determine 
which  assets  or  systems  face  the  highest  risk  (i.e.,  the  most  critical  assets/systems). ”99 
The  prioritization  process  fundamentally  first  identifies  critical  assets  and  second 
determines  how  to  provide  the  best  and  most  cost-effective  protective  actions. 

The  Critical  Manufacturing  Sector  Plan  states,  “State,  local,  tribal  and  territorial 
authorities  are  integral  to  protecting  our  nation’s  infrastructure  and  are  the  front  line  of 
defense  for  our  nation’s  infrastructure  and  serve  as  or  in  close  proximity  to  the  owners  or 
operators  of  CIKR.  ”1^0  Some  evidence  of  engagement  of  state  and  local  emergency 
planners  is  the  efforts  of  this  sector  to  participate  in  local  emergency  planning  activities, 
such  as  hazardous  materials  incident  planning. 

5,  Dams 

The  dams  sector  includes  dam  projects,  hydropower  generation  facilities, 
navigation  locks,  levees,  dikes,  hurricane  barriers,  mine  tailings  and  other  industrial 
waste  impoundments,  and  other  similar  water  retention  and  water  control  facilities. 
Dams  serve  a  number  of  purposes  including;  holding  back  water;  impounding  water  to 
create  a  reservoir;  creating  spillways  to  control  flood  waters;  housing  equipment  to 
produce  electricity,  and  creating  canals  or  aqueducts  to  move  water  or  provide  a 
navigational  waterway  (see  Figure  3).  1^2 
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Dam  Owners  by  Type 

4%  2% 


Private 

Local  Government 
State  Government 
Unknown 

Federal  Government 
Public  Utility 


Dams  by  Primary  Purpose 


17% 


Recreation  (28,437) 

Flood  Control  and  Storm  Water  Management  (13,744) 
Fire  Protection,  Stock,  or  Small  Farm  Pond  (12,142) 
Irrigation  (8,359) 

Water  Supply  (5,952) 

Other  (5,509) 

Unknown  (3,172) 

Hydroelectric  (2,066) 

Fish  and  Wildlife  Pond  (1,713) 

Tailings  (890) 

Debris  Control  (414) 

Navigation  (244) 


Figure  3.  Dam  Ownership  and  Purpose  of  U.S.  Damsi*’^ 


Aecording  to  the  Dams  Sector  Plan,  the  “Dams  Sector  has  long-standing  and 
well-established  programs  to  assess,  mitigate,  and  respond  to  the  potential  damages 
caused  by  catastrophic  dam  failures  induced  by  natural  hazards.”  There  are  competing 
ideas  related  to  risk  assessment  within  the  dams  sector  due  to  a  lack  of  consensus 
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between  dam  owners  and  regulators  on  a  risk  assessment  methodology.!^^  The  sector 
currently  utilizes  the  consequence-based  top  screen  (CTS)  methodology  to  prioritize 
assets  based  on  consequences  (see  Table  2). 


Consequence  Category 

Consequence  Parameter 

Measurement  Unit 

Total  Population  at  Risk  (PAR) 

Number  of  people 

PAR  0-3  miles 

Number  of  people 

Human  Impacts 

PAR  3-7  miles 

Number  of  people 

PAR  7-15  miles 

Number  of  people 

PAR  15-60  miles 

Number  of  people 

Asset  Repair/Replacement 

Cost 

Millions  of  dollars 

Economic  Impacts 

Remediation  Cost 

Millions  of  dollars 

Business  Interruption  Cost 

Millions  of  dollars/year 

Water  Supply:  Population 

Served 

Number  of  people 

Irrigation:  Annual  Water 

Deliveries 

Millions  of  dollars/year  Acre-feet/year 

Impacts  on  Critical 

Hydropower  Generation:  Total 
Installed  Capacity 

Megawatts 

Functions 

Flood  Damage  Reduction: 

Annual  Damages  Prevented 

Millions  of  dollars/year 

Inland  Navigation:  Annual 
Navigation  Tonnage 

Kilotons/year 

Recreation:  Annual 

Recreational  Visitors 

Number  of  people/year 

Table  2.  Consequence-Based  Top  Screen  Parameters 


According  to  the  Dams  Sector  Plan,  state  governments  are  responsible  for  84 
percent  of  the  dams  on  the  national  inventory  of  dams  and  are  represented  by  eight  state 
dam  safety  officials  on  the  Sector  Government  Coordinating  Council.  Local 
governments,  public  utilities,  levee  districts  and  water  management  districts  own  and 
operate  dams  and  levees  are  represented  largely  by  professional  organizations.!*!^ 
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6. 


Defense  Industrial  Base  Sector 


The  defense  industrial  base  (DIB)  sector  consists  of  government  and  private 
sector  organizations  that  support  military  operations.  Sector  functions  include:  research 
and  development;  system  design  and  manufacture;  and  the  design,  development,  delivery 
and  maintenance  of  military  weapons  systems.  The  sector  focuses  on  “mission  critical 
tasks”  or  the  impact  to  defense  missions  to  analyze  and  prioritize  assets,  systems,  and 
networks.  The  criteria  for  screening  priorities  includes:  “Single  source  suppliers,  sole 
source  or  defense-unique  suppliers;  suppliers  of  dual-use  products;  suppliers  of  products 
used  in  multiple  programs;  suppliers  with  high  requalification  costs  or  long 
requalification  timeframes;  and  suppliers  developing  advanced  or  emerging  technology” 
(Figure  4).  109 


10^  U.S.  Department  of  Homeland  Seeurity,  Defense  Industrial  Base  Sector-Specific  Plan,  2010,  U.S. 
Department  of  Homeland  Seeurity,  http://www.dhs.gov/xlibrarv/assets/nipp-ssp-defense-industrial-base- 
2Q10.pdf.  15. 

109  Ibid.,  23-24. 


30 


Figure  4.  Prioritization  Factors,  Sub  Factors,  and  Weights  n*’ 


The  sector  plans  states  a  sector  goal  related  to  risk  management  as  to  “use  an  all¬ 
hazards  approach  to  manage  the  risk-related  dependency  on  critical  DIB  assets.”  ^  One 
objective  related  to  this  goal  is  to  “improve  the  effectiveness  of  government  threat 
reporting  to  officials,  owners  and  operators  responsible  for  critical  defense  industrial  base 
assets,  local  law  enforcement,  and  other  first  responders.”  112 
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7. 


Emergency  Services  Sector 


The  primary  mission  of  the  emergency  services  sector  (ESS)  is  to  “save  lives, 
protect  property  and  the  environment,  assist  communities  impacted  by  disasters  and  aid 
recovery  during  emergencies.”  The  ESS  is  made  up  of  five  disciplines:  law  enforcement; 
fire  and  emergency  services;  emergency  management;  emergency  medical  services;  and 
public  works  within  each  discipline  there  are  a  number  of  specialized  capabilities  (e.g., 
hazardous  materials,  search  and  rescue,  explosive  ordinance  disposal,  special  weapons 
and  tactics  and  tactical  operations,  aviation).  xhe  scope  of  this  sector  includes  a  vast 
number  of  facilities,  equipment  and  trained  personnel,  spread  over  a  large,  geographic 
area.  1 

The  ESS  utilizes  the  “Target  Capabilities  Eist”  (2007),  now  known  as  the  “Core 
Capabilities  Eist”  in  the  National  Preparedness  Goal  (see  Table  3)  to  develop  sector 
goals  and  collect  information,  ESS  assets,  systems,  and  networks  consist  of 
equipment  and  materials,  vehicles,  facilities  and  data  records,  access  control  and  data 
collection  systems,  control  systems,  and  strategically  trained  personnel,  and  mutual  aid 
and  multi-agency  coordination.  The  ESS  plan  states,  “there  are  three  general  risk 
assessment  layers:  (1)  facility-specific  or  fixed  assets,  (2)  specialized  emergency  services 
assets  or  systems,  and  (3)  multiple  systems  in  a  region  or  multiple  regions. The  plan 
does  not  outline  a  specific  methodology  for  identifying  or  assessing  the  risk  to  assets, 
networks,  and  systems. 


u.S.  Department  of  Homeland  Seeurity,  Emergency  Services  Sector-Specific  Plan,  2010,  U.S. 
Department  of  Homeland  Seeurity,  http://www.dhs.gov/xlibrarv/assets/nipp-ssp-emergencv-services.pdf. 
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Tables.  Core  Capabilities  List 


The  ESS  plan  identifies  the  importanee  of  engaging  state,  local,  tribal,  and 
territorial  governments  in  the  development  of  the  sector-plan  and  asset,  system,  and 
network  identification.  Furthermore,  the  plan  states: 

...responsibility  for  incident  management  initially  falls  on  State,  local, 
tribal,  and  territorial  authorities,  but  the  majority  of  ESS  disciplines  are 
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organized  and  provided  at  the  loeal  Level  of  government  by  eareer  and 
volunteer  personnel  from  the  eommunities.  1 

This  statement  is  consistent  with  the  roles  and  responsibilities  of  emergency  response  in 
the  National  Incident  Management  System. 

8,  Energy  Sector 

The  energy  sector  “consists  of  thousands  of  electricity,  oil,  and  natural  gas  assets 
that  are  geographically  dispersed  and  connected  by  systems  and  networks”  (see  Table 
4).  120  Energy  assets  and  critical  infrastructure  are  owned  by  private,  federal,  state,  and 
local  entities,  as  well  as  some  large  industries  and  financial  institutions.  121  The  scope  of 
this  sector  is  very  large  and  each  subsector  has  some  reliance  on  other  subsectors.  For 
example,  VOpercent  of  the  electrical  generation  is  provided  by  fossil  fuels  (coal,  natural 
gas  or  oil).  122  A  2008  inventory  of  the  electricity  subsector  shows  that  there  are;  6,413 
power  plants;  30,320  substations;  6,222  miles  of  high  voltage  DC  transmission  lines,  and 
143  million  customers. ^23  The  petroleum  subsector  includes:  525,000  producing  wells, 
150  refineries,  and  1,400  petroleum  terminals.  ^24  The  natural  gas  subsector  is  comprised 
of;  478,562  gas  and  condensate  wells;  over  500  gas  processing  plants;  and  approximately 
1.5  million  miles  of  pipelines  (see  Table  4).  125 


119  Ibid.,  25. 

120  U.S.  Department  of  Homeland  Seeurity,  Energy  Sector-Specific  Plan,  2010,  U.S.  Department  of 
Homeland  Seeurity,  http://www.dhs.gov/xlibrarv/assets/nipp-ssp-energv-2010.pdf.  2. 

121  Ibid.,  9 

122  Ibid.,  10. 

123  Ibid.,  11. 

124  Ibid.,  13. 
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Electricity 


Petroleum 


Natural  Gas 


•  Generation 

•  Crude  Oil 

•  Production 

-  Fossil  Fuel  Power  Plants 

-  Onshore  Fields 

-  Onshore  Fields 

»  Coal 

-  Offshore  Reids 

-  Offshore  Reids 

»  Natural  Gas 

-  Terminals 

•  Processing 

»  Oil 

-  Transport  (pipelines)® 

•  Transport  (pipelines)® 

-  Nuclear  Power  Plants* 

-  Storage 

■  Distribution  (pipelines)* 

-  Hydroelectric  Dams* 

•  Petroleum  Processing  Facilities 

■  Storage'’ 

-  Renewable  Energy 

-  Refineries 

*  Liquefied  Natural  Gas  Facilities^ 

•  Transmission 

-  Terminals 

•  Control  Systems 

-  Substations 

-  Lines 

-  Control  Centers 

•  Distribution 

-  Substations 

-  Lines 

-  Control  Centers 

•  Control  Systems 

•  Electricity  Markets 

-  Transport  (pipelines)® 

-  Storage 

-  Control  Systems 

-  Petroleum  Markets 

•  Gas  Markets 

^  Hydroelectric  dams,  nuclear  facilities,  rail,  and  pipeline  transportation  are  covered  in  other  SSPs. 

^  Certain  infrastructure  of  this  asset  type  are  regulated  1:^  the  Chemical  Facility  Anti-Terrorism  Standards  (CFATS).  The  final  tiering  of  the  facilities 
covered  by  the  CFATS  was  not  completed  at  the  time  of  this  report. 


Table  4.  Segments  of  the  Energy  Seetori^e 

The  energy  sector  has  identified  six  characteristics  to  assist  in  identifying  assets, 
systems,  and  networks:  physical  and  location  features;  cyber,  volume  or  throughput, 
demands  for  energy,  human  attributes,  and  importance  of  asset  to  the  system  or 
network.  127  xhe  sector  relies  on  the  owners  and  operators  for  prioritization  of  assets  and 
networks.  The  plan  states  “from  a  grid  perspective,  the  nation’s  oil  and  natural  gas 
pipeline  systems  and  electricity  grid  are  designed  and  operated  with  built-in  redundancy 
to  ensure  a  certain  degree  of  reliability  and  resilience.”  128 

The  Energy  Sector  Plan  lists  the  following  goal:  “clearly  define  critical 
infrastructure  protection  roles  and  responsibilities  among  all  Federal,  State,  local,  and 
private  sector  partners.”  129  Furthermore,  the  plan  identifies  state  and  local  governments 
as  “crucial  stakeholders”  in  providing  secure  and  reliable  energy  to  the  nation.  1 30  Easily, 


126  Ibid.,  9 

127  Ibid.,  27. 

128  Ibid.,  39. 

129  Ibid.,  2. 

130  Ibid.,  22. 


35 


the  plan  suggests  that  to  sueeessfully  identify  the  risk  to  this  seetor  and  proteet  assets, 
systems,  and  networks.  State  and  loeal  jurisdietions  must  work  with  sector  owners  and 
operators  to  understand  which  facilities  are  critical. 

9,  Food  and  Agriculture  Sector 

The  food  and  agriculture  sector  provides  food  for  human  and  animal  consumption 
and  includes  a  system  of  production,  processing,  and  delivery.  According  to  the  sector 
plan,  the  United  States  has  approximately  44,000  food  processors,  113,000  food 
warehouses,  2.2  million  farms,  and  over  1.2  million  retail  food  facilities  and  accounts  for 
about  one-fifth  of  the  nation’s  economy.  132 

The  food  and  agriculture  sector  utilizes  two  mechanisms  to  define  and  identify 
critical  assets  within  the  sector:  1)  the  annual  federal  data  call,  and  2)  the  Food  and 
Agriculture  Sector-Criticality  Assessment  Tool  (FAS-CAT).i33  pAS-CAT  was  developed 
by  the  National  Center  for  Food  Protection  and  Defense  (NCFPD)  to  assist  with  the 
definition,  identification,  collection,  verification,  and  updating  of  infrastructure 
information.  The  food  and  agriculture  sector  plan  states  the  purpose  of  FAS-CAT  is  “to 
assist  States  in  determining  and  documenting  the  most  critical  elements,  systems,  and 
subsystems  in  the  FA  Sector  infrastructure  at  the  state  Level.”  134  There  have  been  some 
difficulties  in  collecting  information:  1)  the  sector  focuses  on  systems  versus  individual 
assets  and  2)  States  are  not  uniformly  reporting  their  list  of  assets.  1 35  Assets  that  are 
collected  are  prioritized  by  using  consequence  based  metrics.  The  following  is  listed  as 
the  criteria  for  prioritizing  assets: 

...duration  of  disruption;  complete  destruction  of  facilities;  relationship  to 
the  commodity  being  produced  (i.e.,  loss  of  acreage  of  corn  fields  versus 
loss  of  entire  specific  product);  ability  of  adjacent  and  nearby  facilities  to 


131  Ibid.,  40. 

132  U.S.  Department  of  Homeland  Seeurity,  Food  and  Agriculture  Sector  Specific  Plan,  9-10. 

133  Ibid.,  24. 

134  Ibid. 

135  Ibid.,  26. 
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adequately  compensate  for  the  loss  of  production  or  service;  financial 
markets;  and  CIKR  supporting  response  and  recovery.  136 

The  Food  and  Agriculture  Sector  Plan  references  state  and  local  jurisdiction 
largely  in  relation  to  food  protection  and  agriculture  agencies  that  have  jurisdiction  over 
the  food  supply  at  the  retail  and  wholesale  Levels.  State  and  local  agencies  are 
responsible  for  “the  inspection  and  oversight  of  over  one  million  food  establishments — 
restaurants  and  grocery  stores,  vending  machines,  cafeterias,  and  other  outlets  in  health 
care  facilities,  schools,  and  correctional  facilities.”  137  The  plan  further  states  a  goal  as  to: 

...work  with  State  and  local  entities  to  ensure  that  they  are  prepared  to 
respond  to  incidents.  The  sector  will  ensure  that  the  combined  Federal, 

State,  local,  and,  tribal  capabilities  are  prepared  to  respond  quickly  and 
effectively  to  a  terrorist  attack,  major  disease  outbreak,  or  other  disaster 
affecting  the  national  food  and  agriculture  infrastructure.  ^ 38 

10,  Finance  and  Banking  Sector 

The  banking  and  finance  sector  describes  the  sector  as  “groups  of  products  and 
services,  which  are:  (1)  deposit,  consumer  credit,  and  payment  systems;  (2)  credit  and 
liquidity  products;  (3)  investment  products;  and  (4)  risk-transfer  products  (including 
insurance).”  139  The  financial  services  sector  includes  “more  than  18,800  federally  insured 
depository  institutions;  thousands  of  providers  of  various  investment  products,  including 
roughly  18,440  broker-dealer,  investment  advisers,  and  investment  company  complexes; 
and  7,948  domestic  U.S.  insurers. ”1^*1 

According  to  the  Banking  and  Finance  Sector-Specific  Plan  risk  assessments  are 
largely  directed  to  address  the  interdependencies  between  this  sector  and  others,  such  as 
energy,  transportation,  communications  or  information  technology,  Risk  assessment  is 


136  Ibid.,  40. 

137  Ibid.,  19. 

138  Ibid.,  20. 

139  U.S.  Department  of  Homeland  Seeurity,  Banking  and  Finance  Sector-Specific  Plan,  2010,  U.S. 
Department  of  Homeland  Seeurity,  https://www.dhs.gov/sites/default/files/publications/nipp-ssp-banking- 
and-finance-2010.pdf.  1. 

140  Ibid.,  8. 
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primarily  based  on  consequences  related  to  the  sectors  ability  to  operate  efficiently  and 
the  impact  on  public  confidence  in  the  financial  system.  1^2  xhe  plan  does  not  adequately 
define  “public  confidence”  or  state  how  this  can  be  measured.  Assets  are  prioritized 
based  on  the  following  factors: 

...degree  of  dependence  on  the  asset;  presence  or  absence  of  alternative 
suppliers;  public  need  for  the  services;  potential  impact  of  a  disruption  to 
the  financial  system;  potential  impacts  on  the  economy  through  the 
cascading  disruption  of  other  CIKR;  and  trends  and  specific  information  in 
threat  analysis.  1^3 

The  Banking  and  Finance  Sector-Specific  Plan  promotes  collaboration  through 
“regional  coalitions  to  build  relationships  and  share  information  among  financial 
institutions  and  first  responders,  emergency  management  personnel,  and  officials  at  the 
local  Level.”  1^4  However,  the  plan  does  not  define  the  make-up  of  these  coalitions.  The 
role  of  the  Financial  and  Banking  Information  Infrastructure  Committee  (FBIIC)  is  to 
“promote  information  sharing  among  and  between  the  Federal,  State,  local,  and  tribal 
authorities,  as  well  as  the  private  sector.”  145  in  addition  the  role  of  the  Treasury 
Department  is  to  “protective  response  planning  exercises  designed  to  protect  CIKR,  and 
to  create  a  response  plan  that  incorporates  State,  local,  and  tribal  law  enforcement;  and 
Enhancing  communication  and  coordination  across  the  sector.” 

11,  Healthcare  and  Public  Health  Sector 

The  health  care  subsector  encompasses  mostly  private  owned  and  operated 
organizations  that  deliver  healthcare  goods  and  services.  The  United  States  Department 
of  Health  and  Human  Services  estimates  that  this  subsector  represents  16.2  percent  or 
$2.2  trillion  of  the  nation’s  gross  domestic  product  in  2007.1“^^  The  public  health 


142  Ibid.,  12. 

143  Ibid.,  24. 

144  Ibid.,  1. 

145  Ibid.,  13. 

146  Ibid.,  12. 

142  U.S.  Department  of  Homeland  Seeurity,  Health  Care  and  Public  Health  Sector-Specific  Plan, 
2010,  U.S.  Department  of  Homeland  Seeurity,  http://www.dhs.gov/xlibrarv/assets/nipp-ssp-healthcare-and- 
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subsector  includes  federal,  state,  local,  tribal,  and  territorial  government  entities  that  deals 
with  the  health  of  the  population  and  has  a  role  in  large-scale  disaster  preparedness  (see 
Table  5).i48 


Major  Element 

Private 

Public  Sector 

Sector 

Federal 

state 

Local 

Tribal 

Healthcare  personnel 

>  13.000,000 

>  450.000* 

Hospitals 

3.905‘> 

213« 

1.105-^ 

44* 

Ambulatory  healthcare  services 

~545,000  (unable  to  separate  by  ownership)^ 

Nursing  and  residential  care  facilities 

~75.(X)0  (unable  to  separate  by  ownership)^ 

Retail  pharmacies 

-42.000'' 

Health  departments 

Parts  of  Federal  departments 
and  agencies,  including  HHS. 
Environmental  Protection 
Agency.  DoD.  and  VA 

57 

-3.000 

36 

Pharmaceutical  manufacturers 

-1.100' 

Medical  device  and  supply  companies 

-  2.500i 

Blood  and  organ  banks 

-1.200" 

Health  insurers  and  other  payers 

>1.300' 

1 

50 

^  See  HHS.  Health  Resources  and  Services  Administration.  The  Public  Health  Workforce  Enumeration,  http://ask.hrsa.gov/detail  materials. 
cfm?ProdlD=1057. 

^  See  American  Hospital  Association  2008  Survey  Statistics. 

«  Ibid. 

**  Ibid. 

®  See  Indian  Health  Services  2009  Fact  Sheets. 

*  See  U.S.  Census  Bureau.  2007  Economic  Census,  http://www.cerksiis.gov/econ/census07. 
s  Ibid. 

^  Ibid. 

'  Pharmaceutical  manufacturers  include  pharmaceutical  preparation  manufacturers  and  medicinal  and  botanical  manufacturers.  See  U.S. 
Census  Bureau.  2007  Economic  Census,  http://www.censiis.gov/econ/census07. 

^  See  U.S.  Census  Bureau.  2007  Economic  Census,  http://www.census.gov/econ/census07. 

Ibid. 

'  See  America's  Health  Insurance  Plans  Association,  www.ahlp.org. 


Table  5.  Healthcare  and  Public  Health  Statistics 


The  healthcare  and  public  health  sector  utilizes  the  Risk  Assessment  Work  Group 
(RAWG),  a  group  of  sector  wide  experts,  to  develop  sector  criteria  definitions.  The 
RAWG  “analyzes  critical  functions  in  the  sector  which,  if  disrupted,  would  lead  to 
overall  mission  degradation  and  cascading  consequences.  The  group  then  identifies  asset 
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types  that  support  these  critieal  functions  and  their  associated  attributes.”!^*’  The  RAWG 
uses  the  information  to  develop  scenarios  that  could  impact  the  sector  or  the  sectors 
ability  to  deliver  health  care  services.!^’  According  to  the  Sector-Specific  Plan, 
prioritizing  of  critical  assets,  networks,  and  systems  has  yet  to  be  completed,  but  the  plan 
outlines  the  following  as  the  goal  for  accomplishing  this.  *52 

In  the  broad  range  of  healthcare  and  public  health  sector  assets,  systems, 
and  networks  that  have  been  identified,  certain  infrastructure  components 
would  lead  to  the  most  severe  consequences  if  compromised.  After  these 
components  have  been  identified,  an  organization  will  be  better  equipped 
to  prioritize  resources  and  activities  to  protect  the  sector.  This  is  the  step 
for  prioritizing  infrastructure;  Prioritize  hazards  and  critical  infrastructure 

based  on  probability  and  consequence. 

The  Healthcare  and  Public  Health  Sector-Specific  Plan  states  that  state  and  local 
jurisdictions  are  represented  on  the  Sector  Government  Coordinating  Council.  The 
Department  of  Health  and  Human  Services,  as  the  sector  lead,  is  responsible  for 
“working  through  two  major  State  and  local  healthcare  and  public  health  professional 
associations  to  establish  appropriate  links  with  State,  local,  and  territorial  public  health 
entities.”!  5"! 


12,  Information  Technology  Sector 

The  information  technology  (IT)  sector  is  comprised  of  physical  assets  and  virtual 
systems  and  networks  that  provide  “key  capabilities  and  services”  to  the  public  and 
private  sectors.  !^^  The  IT  Sector-Specific  Plan  identifies  six  critical  functional  areas  that 
affect  the  sector’s  ability  to  provide  IT  services:  incident  management  capabilities; 
domain  name  resolution  services;  identity  management  and  associated  trust  support 


!50  Ibid.,  20. 
!5!  Ibid.,  24. 
!52  Ibid.,  28. 
!53  Ibid. 


!54  Ibid.,  14. 

!35  U.S.  Department  of  Homeland  Seeurity,  Information  Technology  Sector-Specific  Plan,  2010,  U.S. 
Department  of  Homeland  Seeurity,  http s  ://www . hsdl. org/? ab straet&did=7 8 9 9 .  1 . 
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services;  Internet-based  content,  information,  and  communications  services;  and,  Internet 
routing,  access,  and  connection  services, 

The  IT  sector  utilizes  the  NIPP  Risk  Management  Framework  for  identifying 
sector  assets,  systems,  and  networks  but  largely  relies  on  the  subject  matter  experts  assess 
sector  assets,  networks,  and  systems.  1^7  ix  sector  risk  reduction  and  prioritization 
strategies  focus  on  functions  that  would  have  the  greatest  impact  on  sector  capabilities 
based  on  feedback  from  the  subject  matter  experts  (Table  6). 
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IT  Sector  Critical  Function 


Risks  of  Concern 


Produce  and  provide  IT  products  and  services 

Production  or  distribution  of  untrustworthy  critical  product  or  service  through  a 
successful  manmade  deliberate  attack  on  a  supply  chain  vulnerability. 

Provide  domain  name  resolution  services 

Breakdown  of  a  single  interoperable  Internet  through  a  manmade  attack,  and 
resulting  failure  of  governance  policy;  large-scale  manmade  Denial-of-Service 
attack  on  the  DNS  infrastructure. 

Provide  Internet-based  content,  information, 
and  communications  services 

Manmade  unintentional  incident  caused  in  Internet  content  services  results  in 
a  significant  loss  of  e-Commerce  capabilities. 

Provide  Internet  routing,  access,  and 
connection  services 

Partial  or  complete  loss  of  routing  capabilities  through  a  manmade  deliberate 
attack  on  the  Internet  routing  infrastructure. 

Provide  incident  management  capabilities 

Impact  to  detection  capabilities  because  of  a  lack  of  data  availability  resulting 
from  a  natural  threat. 

Table  6.  IT  Sector  Risk  Profile 
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The  IT  Sector-Specific  Plan  identifies  the  importance  of  collaboration  with  State 
and  local  jurisdictions  in  the  development  of  the  sector  plan.  The  plan  states,  “By 
working  together,  private  and  public  IT  Sector  partners  can  prioritize  protective 
initiatives  and  investments  within  and  across  sectors.”  Collaboration  will  help  to 
ensure  efficient  allocation  of  resources.  According  to  the  plan,  states  are  represented 
through  the  National  Association  of  Chief  Information  Officers  and  local  governments 
through  the  SLTTGCC.165 

13,  Nuclear  Sector 

The  nuclear  sector  is  comprised  of  nuclear  power  plants;  research,  training  and 
test  reactors;  deactivated  nuclear  facilities;  fuel  cycle  facilities;  nuclear  materials 
transport;  radioactive  materials;  radioactive  source  production  and  distribution  facilities; 
and  nuclear  waste,  The  most  visible  assets  within  the  sector  are  104  nuclear  power 
plants  and  32  research  and  test  reactors,  but  radioactive  materials  are  used  “tens  of 
thousands”  of  times  each  day  for  medical,  research  and  industrials  uses  (Table  1)}^'^ 
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Nuclear  Power  Plants: 

•  Boiling  water  reactors  (BWR):  and 

•  Pressurized  water  reactors  (PWR). 

Research.  Training,  and  Test  Reactors: 

•  Government  research  and  test  reactors: 

•  University  research  and  training  reactors:  and 

•  Private  research  and  test  reactors. 

Decommissioned  Nuclear  Facilities: 

•  Deactivated  reactors:  and 

•  Other  deactivated  nuclear  facilities. 

Fuel  Cycle  Facilities: 

•  Uranium  mining  or  in  situ  uranium  leaching: 

•  Uranium  ore  milling  or  leachate  processing: 

■  Uranium  conversion  facilities: 

•  Uranium  enrichment  facilities: 

•  Fuel  fabrication  facilities: 

*  Category  I  (special  nuclear  materials)  facilities: 

*  Category  II  (special  nuclear  materials — moderate  strategic  significance)  facilities:  and 

*  Category  III  (special  nuclear  materials — low  strategic  significance)  facilities. 

Nuclear  Materials  Transport: 

•  Low-hazard  radioactive  materials  transport:  and 

•  High-hazard  radioactive  materials  transport. 

Radioactive  Materials: 

’  Medical  facilities  with  radioactive  materials: 

•  Research  facilities  using  radioactive  materials: 

•  Irradiation  facilities:  and 

-  Industrial  facilities  vrith  nuclear  materials. 

Radioactive  Source  Production  and  Distribution  Facilities: 

•  Radioactive  device  manufacturers: 

•  Radioactive  source  producers: 

•  Radioactive  source  importers:  and 

•  Radioactive  source  manufacturers. 

Nuclear  Waste: 

•  Low-level  radioactive  v^ste  processing  and  storage  facilities: 

•  Sites  managing  accumulations  of  naturally  occurring  radioactive  materials  (NORM): 

•  Spent  nuclear  fuel  processing  and  storage  facilities: 

*  Spent  nuclear  fuel  wet  storage  facilities:  and 

*  Spent  nuclear  fuel  dry  storage  facilities: 

•  Transuranic  waste  processing  and  storage  facilities: 

•  High-level  radioactive  waste  storage  and  disposal  facilities:  and 

•  Mixed  waste  processing. 


Table  7.  Nuclear  Sector  Taxonomyi®^ 


The  nuclear  sector  is  heavily  regulated  and  must  comply  with  numerous  statutory 
requirements.  This  makes  asset,  system,  and  network  identification  information  readily 
available  for  the  development  of  the  sector  plan.  The  sector  does  not  require  states  to 
submit  federal  data  call  Level  1  or  Level  2  asset  information  but,  it  does  coordinate  with 
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state  and  local  jurisdictions  to  identify,  request  and  use  nuclear  CIKR  information, 
Nuclear  CIKR  assets,  systems,  and  networks  are  prioritized  based  on  the  potential 
radiological  consequences  associated  with  an  attack. 

The  Nuclear  Sector-Specific  Plan  places  a  large  emphasis  on  collaborating  with 
state  and  local  jurisdictions  in  the  protection  and  resiliency  of  nuclear  CIKR.  However,  as 
stated  below,  the  relationship  appears  to  be  mostly  tied  to  state  representation  and 
information  sharing, 

The  Nuclear  Regulatory  Commission  (NRC)  looks  to  the  State  liaison 
officers  to:  (1)  provide  the  primary  communications  channels  between  the 
States  and  the  NRC;  (2)  serve  as  the  key  members  in  the  States  to  keep  the 
governors  informed  on  issues  under  NRC’s  jurisdiction;  and  (3)  provide 
the  NRC  with  State  information  on  particular  nuclear  safety,  security, 
emergency,  or  environmental  issues. 

The  plan  does  offer  some  information  related  to  emergency  planning  zones,  which  can  be 
utilized  by  state  and  local  jurisdictions  for  emergency  planning  to  assess  the  potential 
consequences  associated  with  a  radioactive  material  release.  1^2 

14,  Transportation  Systems  Sector 

The  transportation  sector  is  comprised  of  six  subsectors:  aviation;  freight  rail; 
highway;  maritime;  mass  transit  and  passenger  rail;  and  pipelines.  According  to  the 
sector  plan,  transportation  is  responsible  for  the  movement,  distribution,  and  delivery  of 
billions  of  passengers  and  millions  of  tons  of  good  each  year  (Table  8).  1^3 


Ibid,  pp,  43-46 

120  Ibid.,  66 

121  Ibid.,  34 

122  Ibid.,  55 

123  U.S.  Department  of  Homeland  Seeurity,  Transportation  Systems  Sector-Specific  Plan,  2010,  U.S. 
Department  of  Homeland  Seeurity,  http://www.dhs.gov/xlibrarv/assets/nipp-ssp-transportation-svstems- 
201Q.pdf.  18. 
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Aviation 

Comprised  of  aircraft,  air  traffic  control  systems,  and 
approximately  450  U.S.  commercial  airports  and  19,000  public 
airfields.  This  mode  includes  civil  and  joint -use  military 
airports,  helipads,  short  take-off  and  landing  ports,  and  seaplane 
bases. 

Freight  Rail 

Consists  of  seven  major  carriers,  hundreds  of  smaller  railroads, 
over  140,000  miles  of  active  railroad,  over  1.3  million  freight 
cars,  and  roughly  20,000  locomotives.  Over  12,000  trains  are 
operating  per  day.  The  Department  of  Defense  has  designated 
30,000  miles  of  track  and  structure  as  critical  to  the  mobilization 
and  re-supply  of  U.S.  Forces. 

Highway  and  Motor  Carriers 

Encompasses  more  than  four  million  miles  of  roadways  and 
associated  infrastructure  such  as,  600,000  bridges  and  tunnels, 
which  carry  vehicles  including  automobiles,  school  buses, 
motorcycles,  and  all  types  of  trucks,  trailers,  and  recreational 
vehicles. 

Maritime 

Includes  a  wide  range  of  watercraft  and  vessels  and  consists  of 
approximately  95,000  miles  of  coastline,  361  ports,  more  than 
10,000  miles  of  navigational  waterways,  3.4  million  square 
miles  of  the  Exclusive  Economic  Zone,  and  intermodal  landside 
connections,  which  allow  the  various  modes  of  transportation  to 
move  people  and  goods,  to,  from,  and  on  the  water. 

Mass  Transit  and 

Passenger  Rail 

Includes  multiple-occupancy  vehicles,  such  as  transit  buses  and 
facilities,  trolleybuses,  monorails,  heavy  (subway)  and  light  rail, 
passenger  rail  (including  both  commuter  rail  and  long  distance 
rail),  automated  guide-way  transit,  inclined  planes,  and  cable 
cars,  designed  to  transport  customers  on  regional  and  local 
routes. 

Pipelines 

Includes  vast  networks  of  pipeline  that  traverse  hundreds  of 
thousands  of  miles  throughout  the  country,  pipeline  city  gate 
stations,  distribution  networks  and  terminals  that  transport  and 
distribute  nearly  all  of  the  Nation’s  natural  gas  and  65  percent  of 
hazardous  liquids,  as  well  as  various  chemicals.  These  pipeline 
networks  are  operated  by  over  3,000  operators. 

Table  8.  Transportation  Systems  Sector  Modal  Divisions 


The  transportation  sector  relies  in  the  annual  federal  data  call  to  develop  a  list  of 
assets,  systems,  and  networks  that  make  up  transportation  CIKR.  The  sector  utilizes 
consequence  to  which  assets,  systems,  and  networks  are  most  critical,  based  on  “hazard- 
specific”  scenarios.  According  to  the  sector  plan,  transportation  CIKR  is  prioritized 


174  Ibid.  15-16. 

175  Ibid.,  4. 
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using  four  primary  parameters;  intelligenee  and  risk  assessments;  legislative  and 
exeeutive  requirements;  budget  and  implementation  eonstraints;  and  safety  and  privaey 
considerations  and  stakeholder  concerns, 

The  Transportation  Sector  Plan  states,  “State  and  local  governments  are 
responsible  to  manage  sector  protection  within  their  jurisdictions.”  Furthermore,  it  states, 
“local  governments  represent  the  “front  lines”  for  first  responses  to  incidents  involving 
sector  assets.”  Lastly,  in  order  to  meet  sector  resiliency  goals,  state  and  local 
governments  must  assist  in  collecting  infrastructure  information,  This  places  a  large 
amount  of  responsibility  on  state  and  local  partners  in  order  to  meet  sector  protection  and 
resiliency. 

15,  Water  and  Wastewater  Systems  Sector 

The  water  and  wastewater  sector  has  two  key  subsectors:  water  treatment,  storage, 
and  distribution  and  wastewater  treatment.  The  water  subsector  includes:  drinking  water 
and  water  to  meet  healthcare,  fire  protection,  and  heating  and  cooling  processes.  The 
sector  plan  states  that  “there  are  approximately  153,000  Public  Water  Systems  of  various 
sizes  and  users  in  the  United  States.”  The  physical  elements  of  a  drinking  water  system 
include:  water  source;  conveyance;  raw  storage;  treatment;  treated  water  storage; 
distribution  system;  and  a  monitoring  system  (Figure 


176  Ibid.,  40-41. 

177  Ibid.,  22. 

178  U.S.  Department  of  Homeland  Seeurity,  Water  and  Wastewater  Systems  Sector-Specific  Plan, 
2010,  U.S.  Department  of  Homeland  Seeurity,  http://www.dhs.gov/xlibrarv/assets/nmp-ssp-water- 
2010.pdf.  8-9. 


47 


I 

£ 

w 

z 


2a804 


30.000 


25,000 

20,000 

15,000 

10,000 

5,000 

0 


25500  501-3,300  3,301-10,000  10.001-100.000 

(Very  Small)  (Small)  (Medium)  (Large) 


>  100.000 
(Very  Large) 


System  Size  by  Population  Served 

Figure  5.  Number  of  Community  Systems  and  System  Size^^^ 


There  are  over  16,500  wastewater  treatment  systems  in  the  U.S.  that  provide 
treatment  of  domestic  sewage  to  over  227  million  people  (see  Figure  Additionally, 
many  systems  provide  treatment  of  waste  water  from  industrial  facilities.  Failure  or 
disruption  of  these  systems  can  result  in  loss  of  life  or  significant  public  health  and 
environmental  impacts.  Wastewater  systems  include  the  following  physical  elements: 
collection  system;  raw  influent  storage;  treatment  system;  treated  water  storage; 
effluent/discharge;  and  monitoring  system, 


179  Ibid.,  8. 

180  Ibid.,  11. 
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Figure  6.  Numbers  of  Publicly  Owned  Treatment  Systems  and  System  Size^^^ 


While  the  sector-specific  plan  identifies  wastewater  as  a  subsector  much  of  the 
plan  is  dedicated  to  identifying  and  assessing  the  water  subsector.  1^3  The  water  subsector 
has  developed  its  own  criteria  for  identifying  CIKR  assets,  systems,  and  networks.  This 
model  includes  four  criteria  used  for  assessing  CIKR  priority  Levels;  population  served; 
quantity  of  chlorine  gas  stored  on-site;  economic  impact;  and  critical  customers 
served.  Table  9  highlights  the  criteria  utilized  in  the  water  sector.  This  model  is 
scalable  for  use  by  state  and  local  planning  partners. 


182  Ibid.,  10. 

183  Ibid. 

184  Ibid.,  30. 
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Level  Criteria 

Level  1 

Level  2 

Level  3 

Level  4 

Drinking  Water 
and  Wastewater  - 
Population  Served 

(Drinking  water  only: 
retail  plus  wholesale) 

s  Imillion 

25,000-  1  million 

3,300  -  25,000 

<  3,300 

On-site  Gaseous  Chlorine 
Storage  (average  daily 
volume  stored) 

2:  40  tons 

20  -  40  tons 

1-20  ton(s) 

<  1  ton 

Economic  Impact 

(regional  impact;  not 
including  value  of 
statistical  life) 

S  $100  billion 

$5-  $100  billion 

$100  million — $5  billion 

<  $100  million 

Critical  Customers  Served 

Federal 

Government 

Defined 

Federal 

Government 

Defined 

Two  or  more  of  the  following; 

•  Level  1  Trauma 

•  Venue  that  holds  10,000  or 
more  preople 

•  National  Icons 

•  Key  Defense  facilities 

•  Key  Defense  Industrial 

Base  assets 

Not  Applicable 

Table  9.  Water  Sector  Level  Criteriai^^ 


185  Ibid. 
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The  Water  Sector  Plan  indicates  the  role  of  State  and  local  jurisdictions  as 
supporting  the  sector’s  planning,  protection,  and  resiliency  initiatives. Among  the 
sector  goals  and  objectives  related  to  state  and  local  jurisdictions  are; 

•  Goal  4;  Increase  communication,  outreach  and  public  confidence; 

•  Objective  2;  Enhance  communication  and  coordination  among  utilities  and 
federal,  state,  and  local  officials  and  agencies  to  provide  information  about 
threats. 

F.  KEY  FINDINGS  OF  SECTOR-SPECIFIC  PLANS 

Each  sector-specific  plan  identifies  some  methodology  and  has  established  an  all¬ 
hazards  approach  for  identifying  assets,  systems,  and  networks  within  their  respective 
sector.  However,  the  criteria  utilized  varies  widely  from  clear,  concise,  consequence 
based,  as  in  the  water  sector,  to  the  reliance  on  owners  and  operators  of  CIKR  or  subject 
matter  experts.  There  is  no  evidence  that  the  sector  plans  are  scalable  for  use  at  the  state 
and  local  jurisdictional  Level.  This  is  supported  in  an  October  2011  State,  Local,  Tribal, 
and  Territorial  Government  Coordinating  Council  report  on  Northeast  Critical 
Infrastructure  Protection  Programs.  Among  the  major  findings  in  the  report  were  that: 

...the  large  majority  of  State  CIP  coordinators  indicated  a  need  for  clearer 
guidance  from  U.S.  Department  of  Homeland  Security  National  Protection 
and  Programs  Directorate  Office  of  Infrastructure  Protection  (NPPD/IP) 
about  what  constitutes  a  “critical”  asset.  Respondents  reported  that 
NPPD/IP  has  been  reluctant  to  produce  criteria  apart  from  the  guidance 
included  in  NCIPP. 

The  report  also  found  that  the  northeast  states  have  focused  their  CIKR  programs  on 
assessing  “core  lifeline  sectors-  water  and  waste  water,  energy,  communications, 
transportation,  and  information  systems.” 


186  Ibid.,  1. 

187  Ibid.,  17. 

188  State,  Local,  Tribal,  and  Territorial  Government  Coordinating  Council,  Final  Report:  Northeast 
Critical  Infrastructure  Protection  Programs  (Washington,  DC:  State,  Local,  Tribal,  and  Territorial 
Government  Coordinating  Council,  2011),  6. 

189  Ibid.,  8. 
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Most  sectors  reference  the  annual  federal  data  call  or  the  National  Critical 
Infrastructure  Prioritization  Program  (NCIPP)  as  the  established  parameters  for  states  to 
report  on  Level  1  and  Level  2  CIKR.  The  NCIPP  utilizes  a  consequence  based  criteria  for 
identifying  Level  1  and  Level  2  assets,  However,  the  success  of  the  NCIPP  relies  on 
voluntary  participation  from  public  and  private  CIKR  partners  for  populating  the  NCIPP 
asset  list.  Among  the  finding  in  GAO-13-296  relating  to  state  participation  on  the 
NCIPP  program  was  that  “most  state  officials  contacted  reported  that  it  is  difficult  to 
nominate  assets  to  the  NCIPP  list  using  the  consequence-based  criteria,  and  two  officials 
said  that  they  are  considering  whether  to  continue  to  participate  in  the  NCIPP 
process.”  192  Furthermore,  “Homeland  security  officials  representing  13  of  the  15  states 
told  us  that  they  believe  that  the  nomination  process  is  moderately  difficult  or  very 
difficult  and  at  least  two  states  no  longer  participate  due  to  the  time  and  effort 
required.”  193 

Numerous  references  in  each  sector  plan  are  made  to  the  importance  of  engaging 
or  collaborating  with  local  jurisdictions  in  CIKR  planning,  but  there  is  no  information 
within  each  sector  plan  to  assist  local  identification  of  assets,  systems  and  networks. 
Many  sectors  identify  the  SLTTGCC  as  the  link  between  the  federal  sector-specific 
agencies  (SSA)  and  state  and  local  jurisdictions.  The  State,  Local,  Tribal,  and  Territorial 
Government  Coordinating  Council  report  on  Northeast  Critical  Infrastructure  Protection 
Programs  cites  several  potential  disconnects  with  the  relationship  between  the  federal 
SSA’s  and  state  and  local  participation  in  CIKR  planning.  For  example,  the  reports  states: 

The  NPPD/IP  develops  and  deploys  programs  to  the  field  under  the 
assumption  that  each  State  has  a  robust  and  dedicated  CIP  program  office. 

In  reality,  these  small  State  CIP  units  are  doing  much  with  little,  but  they 
need  NPPD/IP  to  design  programs  with  their  staff  resources  and  associated 
capabilities  in  mind.  194 


190  Government  Accountability  Office,  Critical  Infrastructure  Protection,  13. 

191  Ibid.,  9 

192  Ibid.,  30. 

193  Ibid. 

194  State,  Local,  Tribal,  and  Territorial  Government  Coordinating  Council,  Final  Report,  5. 


52 


Furthermore  it  notes,  “States  have  found  it  difficult  to  interest  local  government 
in  sustained  and  systematic  CIP  efforts,  except  in  situations  where  federal  funding 
streams  are  attached.”  195  Lastly,  related  to  local  participation  the  report  explains: 

...local  government  officials  interviewed  by  the  Council  indicated  that 
their  primary  activities  focus  on  identifying  assets  and  conducting  or 
participating  in  a  limited  number  of  site  assessments.  The  primary  obstacle 
to  extending  CIP  to  the  local  Level  is  time  and  resources.  1 96 


195  Ibid. 

196  Ibid.,  6. 
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V.  STATE  OF  NEW  HAMPSHIRE  CRITICAL 
INFRASTRUCTURE  PROTECTION 


A,  PROBLEM 

The  earliest  references  to  formal  critical  infrastructure  protection  (CIP)  at  the 
federal  Level  can  be  found  in  Presidential  Decision  Directive  63  (PDD-63)  issues  in 
1998  by  President  William  J.  Clinton.  PPD-63  states,  “It  has  long  been  the  policy  of  the 
United  States  to  assure  the  continuity  and  viability  of  Critical  Infrastructures.”  1^7 

PPD-63  states  a  national  goal  as: 

No  later  than  the  year  2000,  the  United  States  shall  have  achieved  an 

initial  operating  capability  and  no  later  than  five  years  from  today  (May 

22,  1998)  the  United  States  shall  have  achieved  and  shall  maintain  the 

ability  to  protect  the  nation’s  Critical  Infrastructures  from  intentional 

acts.  198 

The  guidelines  for  implementing  this  directive  specifically  reference  state  and 
local  governments  as  follows:  “close  cooperation  with  state  and  local  governments  and 
first  responders  is  essential  for  a  robust  and  flexible  infrastructure  protection  program. 
All  critical  infrastructure  plans  and  action  shall  take  into  consideration  the  needs, 
activities  and  responsibilities  of  state  and  local  governments  and  first  responders.”  199 

Research  conducted  of  existing  state  homeland  security  strategies  shows  that  the 
state  of  New  Hampshire  is  the  only  state  that  has  worked  to  develop  a  “state-specific” 
criteria  for  identifying  CIKR.  Prior  to  the  terrorist  attacks  of  September  11,  2001  the  state 
of  New  Hampshire  had  little  to  no  process  in  place  to  identify  and  evaluate  the  risks  to 
infrastructure  assets  that  are  critical  to  state  and/or  local  jurisdictions. 


197  White  House,  Presidential  Decision  Directive/NSC  63. 

198  Ibid.,  2. 

199  Ibid.,  4. 
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B,  SOLUTION 

1,  State  of  New  Hampshire  Critical  Infrastructure  Protection  Program 

The  importance  of  developing  a  Cl  asset  list  and  begin  protection  planning  at 
other  than  the  federal  Level  was  identified  post  September  11,  2001.  Representatives  of 
several  state  agencies,  led  by  the  state  of  New  Hampshire  National  Guard,  were  tasked  by 
then  Governor  Jeanne  Shaheen  with  developing  a  list  of  assets  that  were  critical  within 
the  state  of  New  Hampshire.  This  processed  has  evolved  over  the  last  12  years  with  three 
distinct  efforts  to  identify  assets  that  are  critical  to  the  State  of  New  Hampshire. 

2,  Version  1 

Representatives  of  the  National  Guard  were  tasked  with  developing  a  list  of 
critical  infrastructure  assets  and  developing  a  methodology  for  assessing  each  assets 
criticality.  This  process  identified  11  critical  infrastructure  sectors  are  shown  in  Table 
10.200 


1.  Agriculture  aud  Food 

•  The  supply  chains  for  feed,  animals,  and  animal  products. 

•  Crop  production  and  the  supply  chains  of  seed,  fertilizer,  and 
other  necessary  related  materials;  and 

•  The  post-harvesting  components  of  the  food  supply  chain, 
from  processing,  production,  and  packaging  through  storage 
and  distribution  to  retail  sales,  institutional  food  services  and 
restaurant  or  home  consumption. 

2.  Water 

•  Fresh  water  supply 

•  Wastewater  collection  and  treatment 

3.  Public  Health 

•  State  and  local  health  departments 

•  Hospitals 

•  Health  clinics 

•  Mental  health  facilities 

•  Nursing  homes 

•  Blood-supply  facilities 

•  Laboratories 

•  Mortuaries 

•  Pharmaceutical  stockpiles 

4.  Emergeucy  Services 

•  Fire 

•  Rescue 

•  Emergency  Medical  Service 

200  Thomas  Haydon,  State  of  New  Hampshire  Critical  Infrastructure  Categories,  (internal  document 
New  Hampshire  Advisory  Council  on  Emergency  Preparedness  and  Security,  State  of  New  Hampshire, 
Department  of  Safety,  2004). 
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•  Law  Enforcement 

5.  Defense  Industrial 

Base 

•  Department  of  Defense  installations  and  the  private  defense 
industry 

6.  Telecommunications 

•  Voice  and  data  services 

•  Public  Switched  Telecommunications  Network  (PSTN) 

•  Internet 

•  Physical  facilities 

•  Switches,  cables,  other  equipment 

•  Cellular,  microwave,  and  satellite  services. 

7.  Energy 

•  Electricity  (Generation,  transmission  and  distribution,  and 
control  and  communications) 

•  Oil  and  Gas 

0  Oil  -  Oil  production,  crude  oil  transport,  refining, 
product  transport  and  distribution,  and  control  and 
other  external  support  systems. 

0  Gas — Exploration  and  production,  transmission,  and 

local  distribution. 

8.  Transportation 

•  Aviation 

•  Maritime  traffic 

•  Rail 

•  Pipelines 

•  Highways 

•  Trucking  and  bussing 

•  Public  mass  transit 

9.  Banking  and  Finance 

No  specific  asset  references 

10.  Chemical  Industry 
and  Hazardous 

Materials 

No  specific  asset  references 

11.  Postal  and  Shipping 

No  specific  asset  references 

Table  10.  State  of  New  Hampshire  Cl  Seetors^oi 


The  following  methodology  was  presented 
identified  in  the  above  seetors  (Table  11). 202 


as  a  mechanism  to  prioritize 
However,  evidence  in  the 


the  assets 
literature 


201  Ibid. 

202  Ibid. 
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reviewed  and  a  follow-up  interview  with  the  former  State  Direetor  of  Homeland  Security 
suggests  that  this  process  was  only  utilized  to  evaluate  select  assets. 203 

1 .  Impact  on  critical  category: 

Red  Catastrophic — complete  loss  of  output,  production  or  service 

Orange  Significant — 66%  or  more  loss  output,  production  or  service 

Yellow  Serious — 33%  or  more  loss  output,  production  or  service 

Blue  Degraded — 10%  -  33%  loss  of  output,  production  or  service 

Green  No  significant  effect 


2.  Recoverability: 


Red 

Orange 

Yellow 

Blue 

Green 


Replacement  or  repair  requires  1  month  or  longer 
Replacement  or  repair  requires  1  week  to  1  month 
Replacement  or  repair  requires  3  days  to  1  week 
Replacement  or  repair  requires  1  to  3  days 
Same  day  replacement  or  repair 


3.  Likelihood  of  being  attacked: 


Red 

Most  likely  imminent 

Orange 

Highly  likely 

Yellow 

Probable 

Blue 

Possible 

Green 

Not  likely 

Threat  to  life/safety: 

Red 

250+  injured  or  killed 

Orange 

101 — 250  injured  or  killed 

Yellow 

26 — 100  injured  or  killed 

Blue 

6 — 25  injured  or  killed 

Green 

1 — 5  injured  or  killed 

Table  1 1 .  State  of  New  Hampshire  Cl  Assessment  Criteria204 


203  Christopher  Pope  (former  State  of  New  Hampshire  Homeland  Security  Director),  interview  with 
the  author,  August  19,  2013. 

204  Ibid. 
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3. 


Version  2 


The  second  iteration  began  with  the  formal  creation  of  the  Director  of  Homeland 
Security  and  Emergency  Management  position  within  the  state  Department  of  Safety  in 
July  2006  and  the  implementation  of  the  2005  state  of  New  Hampshire  Homeland 
Security  Strategy. This  strategy  included  one  goal  and  four  objectives  related  to  CIKR 
protection  as  follows: ^06 

•  Goal:  Protection — To  achieve  and  sustain  capabilities  that  enable  the  state 
of  New  Hampshire  to  reduce  the  vulnerability  of  critical  infrastructure  or 
key  resources  (CIKR)  in  order  to  deter,  mitigate,  or  neutralize  catastrophic 
events  including  terrorist  attacks,  major  disasters,  and  other  emergencies. 

•  Objective  1:  Continue  to  develop/update  a  list  of  critical  infrastructure  and 
key  assets  in  the  state  of  New  Hampshire; 

•  Objective  2:  Develop/update  a  plan  to  reduce  vulnerabilities  of  critical 
infrastructure  and  key  assets  in  the  state  of  New  Hampshire  with  all 
participating  jurisdictions; 

•  Objective  3:  Assess  and  determine  equipment  necessary  to  improve 
security  in  and  around  key  infrastructure  in  the  state  of  New  Hampshire; 

•  Objective  4:  Develop  exercises  or  incorporate  into  planned  exercises  for 
protection  of  critical  infrastructure  in  the  state  of  New  Hampshire. 

A  March  2008  NH  Department  of  Emergency  Services  Critical  Infrastructure  and 
Key  Resources  (CI/KR)  Preparedness  Report  identified  over  3,000  assets  that  are  critical 
to  the  state.  This  list  was  developed  by  interviewing  10  county  sheriffs  and  utilizing  the 
fiscal  years  2007  and  2008  critical  infrastructure  identification  criteria.  The  primary  goal 
was  to  identify  assets  that  meet  the  federal  criteria,  and  it  but  also  identified  infrastructure 
important  to  the  state  of  NH  that  did  not  meet  the  federal  criteria.  ^07  This  list  was 
inclusive  of  both  hard  targets,  including  critical  transportation  infrastructure,  water 
treatment  and  storage  facilities,  fuel  storage  facilities,  as  well  as  “soft  targets,”  such  as 
schools  and  shopping  malls. 


205  State  of  New  Hampshire,  “Revised  Statutes  Annotated,”  2006,  State  of  New  Hampshire, 
http  ://www.  geneourt.  state. nh.us/rsa/html/i/2 1  -p/2 1  -p-mrg.htm. 

206  State  of  New  Hampshire  Homeland  Seeurity  Strategy,  2005  (restrieted-access  doeument). 

207  State  of  New  Hampshire,  Department  of  Safety,  State  of  New  Hampshire  Homeland  Security 
CI/KR  Identification  Report  (restrieted-access  document). 
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4. 


Version  3 


The  current  program  began  in  2008  as  a  result  of  the  state  of  NH  Preparedness 
Report  and  release  of  the  Interim  National  Infrastructure  Protection  Plan.  This  reports 
states  that  the  state  will  adopt  the  following  mission  related  to  CIKR  protection; 

To  achieve  and  sustain  capabilities  that  enable  the  State  of  New 

Hampshire  to  reduce  the  vulnerability  of  critical  infrastructure  or  key 

resources  in  order  to  deter,  mitigate,  or  neutralize  catastrophic  events 

including  terrorist  attacks,  major  disasters,  and  other  emergencies.^®'^ 

The  report  further  listed  a  major  goal  of  developing  a  “state-Level”  criteria  for 
determining  critical  infrastructure  with  an  objective  of  making  the  original  list  more 
manageable. 209  To  meet  this  goal  a  critical  infrastructure  protection  (CIP)  subcommittee 
of  the  Governor’s  Advisory  Council  on  Emergency  Preparedness  and  Security  (ACEPS) 
was  created  in  June,  2008. 

The  CIP  subcommittee  was  given  two  goals: 

1.  Identify  an  assessment  tool  that  NH  can  use  to  define  state  critical 
infrastructure  and 

2.  Identify  criteria  for  defining  state  critical  infrastructure 

The  committee  chose  the  following  methodology  for  assessing  critical 
infrastructure: 

•  Utilize  the  17  critical  infrastructure  sectors  as  defined  in  the  Interim 
National  Infrastructure  Protection  Program  (NlPPj^io  (later  this  was 
expanded  to  the  18  sectors  as  identifies  in  the  2009  NIPP);2ii 

•  Add  a  “special  events”  sector  for  New  Hampshire; 

•  Assign  a  lead  person  to  work  on  each  sector; 

•  Review  one  sector  per  month; 

•  Review  interdependencies  between  sectors; 


2*^^  State  of  New  Hampshire,  Department  of  Safety,  State  of  New  Hampshire  Preparedness  Report, 
(Coneord,  NH:  State  of  New  Hampshire,  Department  of  Safety,  2008),  (restrieted-aeeess  doeument). 

209  Ibid. 

210  U  S.  Department  of  Homeland  Seeurity,  Interim  National  Infrastructure  Protection. 

21 1  U.S.  Department  of  Homeland  Seeurity,  National  Infrastructure  Protection  Plan. 
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•  Use  the  federal  fiscal  year  2009  data  call  as  a  base  guideline  for  CI/KR 
asset  definitions  and; 

•  Develop  an  asset  criterion  that  is  quantitative  and  as  narrow  as  possible. ^12 

As  a  result  of  the  CIP  committee’s  work  over  the  last  three  years,  each  of  the 

definitions  have  been  developed  for  each  of  the  federal  sectors  resulting  in  the 
identification  of  approximately  340  critical  infrastructure  assets  in  the  state  of  New 
Hampshire.  One  addition  to  the  state  of  New  Hampshire  program  was  the  creation  an 
independent  “special  events”  sector.  A  follow-up  committee’s  leadership  met  with  the 
Department  of  Homeland  Security  Special  Events  Office  and  found  that  it  was  just  a 
collection  agency  for  events  deemed  “special”  by  a  state  or  organization  and  lacked  a 
criteria  for  strictly  defining  special  events.  In  addition,  the  NH  program  uses  DHS  data 
gathering  tools  to  develop  the  state  criteria,  but  it  has  not  adequately  defined  the 
implications  for  having  events  on  the  State  list.  The  current  list  is  utilized  by  both  the 
United  States  Department  of  Homeland  Security  Infrastructure  Protection  Protective 
Security  Advisor  and  the  State  of  New  Hampshire  Information  and  Analysis  Center  to 
perform  security  assessments  of  CI/KR  assets  throughout  the  state. 

Beginning  in  September  of  2007,  the  State  Homeland  Security  Grant  Program 
began  allocating  a  portion  of  the  required  80  percent  local  share  towards  critical 
infrastructure  protection  as  follows  (see  Table  12):213 


212  State  of  New  Hampshire  ACEPS  CIP  Subeommittee,  “Meeting  Minutes,”  Coneord,  NH,  June  8, 
2008. 

213  State  of  New  Hampshire  Department  of  Safety,  “Grants  Management,”  accessed  August  15,  2013, 
https://www.nh.gov/safetv/divisions/homeland/2012/index.htm. 
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Year 

80%  Local  Share 

CIP  Allocation 

2007 

$3,056,000 

$350,000 

2008 

$3,702,000 

$500,000 

2009 

$3,914,700 

$500,000 

2010 

$3,813,978 

$500,000 

2011 

$2,718,292 

$250,000 

2012 

$2,241,052 

$150,000 

Totals 

$19,446,022.00 

$2,250,000.00 

Table  12.  State  of  New  Hampshire  Cl  Proteetion  Spending  2007-2012214 


There  are  two  primary  eonditions  that  determine  CIP  grant  eligibility  for  loeal 
jurisdietions:  1)  assets  must  be  identified  on  the  state  eritieal  infrastrueture  list  and  2) 
identified  assets  must  have  vulnerability  assessment  eompleted  by  either  the  state  of  NH 
or  the  Department  of  Homeland  Seeurity.2i5 

C.  ANALYSIS 

The  state  of  New  Hampshire  is  the  only  state  to  date  that  has  worked  to  develop 
“state-specifie”  eriteria  for  identifying  CIKR.  The  New  Hampshire  program  follows  the 
federal  strategy  by  assigning  seetor-speeifie  ageneies,  but  it  limits  the  possibility  of 
“stove-piping”  by  having  all  seetor  subjeet  matter  experts  report  baek  to  a  main  Critieal 
Infrastructure  Committee.  The  Critical  Infrastructure  Committee  then  makes  a 
recommendation  to  the  State  of  New  Hampshire  Governor’s  Advisory  Council  on 
Emergency  Preparedness  and  Security  for  adoption.  The  state  of  New  Hampshire 
program  was  developed  definitions  for  identifying  CIKR  assets  that  are  critical  to  the 
state  or  region.  2 16  This  strategy  can  assist  the  state  in  developing  Cl  protection  plans  and 
justifying  the  allocation  of  State  Homeland  Security  Grant  monies  for  buying  down  risk. 
There  is  little  evidence  in  this  program  to  indicate  the  engagement  of  local  jurisdictions  in 


214  State  of  New  Hampshire  Department  of  Safety,  Grants  Management  Unit,  request  for  information 
related  to  homeland  security  grant  funding,  August  12,  2013,  via  email  correspondence. 

215  Ibid. 

216  State  of  New  Hampshire,  Department  of  Safety,  State  of  New  Hampshire  Homeland  Security 
CI/KR  Identification  Report  (restricted-access  document). 
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the  development  of  Critieal  Infrastructure  Protection  Programs.  As  an  example,  as  of 
August  2013,  of  the  $2,250,000  allocated  for  CIKR  protection  only  $810,809  have  been 
awarded  to  local  jurisdictions  for  CIKR  projects.  This  does  not  include  pending  grant 
proposals  for  award  under  the  2011  and  2012  funding. Furthermore,  while  the 
committee  set  a  goal  to  use  a  qualitative  approach  to  developing  asset  definitions  and 
lists,  a  review  of  committee  minutes  and  asset  list  suggests  that  in  at  least  one  sector, 
agriculture  and  food,  the  asset  list  was  largely  developed  in  a  subjective  manner  and 
remains  incomplete  as  of  August  2013. 

D,  CONCLUSION 

The  State  of  New  Hampshire  CI/KR  Protection  Program  lays  the  foundation  for 
identifying  assets  that  are  critical  to  the  state  and  region.  The  program  was  able  to  meet 
the  2008  state  preparedness  goal  of  developing  a  “state-Level”  criteria  for  determining 
critical  infrastructure  with  an  objective  of  making  the  original  list  more  manageable. 
While  the  program  has  begun  to  assess  CI/KR  assets  throughout  the  state,  the  program 
still  needs  to  better  engage  local  jurisdictions  in  CI/KR  protection  and  resiliency 
planning. 


21^  State  of  New  Hampshire  Department  of  Safety,  Grants  Management  Unit,  request  for  information 
related  to  homeland  seeurity  grant  funding,  August  12,  2013,  via  email  eorrespondenee. 
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VI.  CONCLUSION  AND  RECOMMENDATIONS 


“Alone  we  ean  do  so  little;  together  we  can  do  so  much” 


Helen  Keller^is 


A,  CONCLUSION 

This  research  sought  to  examine  the  relationship  between  the  National 
Infrastructure  Protection  Program  and  local  critical  infrastructure  planning.  Specifically, 
it  looked  at  to  what  extent  does  the  federal  criteria  for  identifying  federal  critical 
infrastructure  and  key  resources  apply  to  state  and  local  identification  of  critical 
infrastructure  and  key  resources.  As  the  first  line  of  defense  and  response  to  incidents 
within  their  jurisdictions,  local  officials  must  work  to  identify  what  critical  infrastructure 
exists  within  and  more  importantly,  if  lost,  what  will  have  an  impact  on  the  community’s 
ability  to  provide  services. 

While  some  states  have  worked  to  develop  CIKR  plans  and  do  participate  in  the 
annual  federal  data  call  or  the  National  Critical  Infrastructure  Prioritization  Program,  it  is 
unclear  on  the  extent  of  participation  or  the  number  of  assets  reported.  Conversely,  all  50 
states  and  approximately  70  percent  of  the  communities  in  the  U.S.  have  approved  hazard 
mitigation  plans  under  FEMA’s  Pre-Disaster  Mitigation  Program  since  its  inception.2i9 
Between  2007  and  2012,  FEMA  awarded  1.7  billion  dollars  in  hazard  mitigation  planning 
grants. 220  During  a  similar  period,  FEMA  spent  over  17.3  billion  dollars  on  disaster 
relief  221  This  data  suggests  that  the  U.S.  is  not  committing  sufficient  resources  towards 


21^  Helen  Keller  International,  “Helen  Keller’s  Legacy,”  Helen  Keller  International, 
http://www.hki.org/about-lielen-keller/helen-kellers-legacv/. 

219  Office  of  the  Inspector  General,  U.S.  Department  of  Homeland  Security,  Survey  of  Hazard 
Mitigation  Planning,  2012,  Office  of  the  Inspector  General, 
http://www.oig.dhs.gov/assets/Mgmt/2Q12/OIG  12-109  Augl2.pdf.  1. 

220  Ibid. 

221  Office  of  Budget  and  Management,  OMB  Report  on  Disaster  Relief  Funding  to  the  Committees  on 
Appropriations  and  the  Budget  of  the  U.S.  House  of  Representatives  and  the  Senate,  2011.  White  House, 
http://www.whitehouse.gov/sites/default/files/omb/assets/legislative  reports/disaster  relief  report  sept201 

1  .pdf. 
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prevention  and  mitigation  of  the  impaets  assoeiated  with  natural  and  manmade  disasters 
and  that  inaetion  related  to  Cl  proteetion  and,  more  importantly,  resilieney  planning  is 
more  eostly. 

The  analysis  of  the  NIPP  and  subsequent  seetor-speeifie  plans  indieates  that  there 
is  no  elear  eonneetion  between  the  NIPP  and  loeal  government  CIKR  proteetion  and 
resilieney  planning.  Speeifieally,  the  federal  eriteria  for  identifying  assets,  systems,  and 
networks  is  too  broad  in  seope  and  provides  little  direetion  for  identifying  CIKR  assets, 
systems,  and  networks  at  not  only  the  federal  and  state  Level,  but  also  for  loeal 
jurisdietions.  It  also  found  that  despite  elear  referenees  to  engaging  state  and  loeal 
jurisdietions  in  planning,  there  was  no  evidence  to  support  collaboration  efforts  between 
federal,  state,  and  local  jurisdictions.  This  is  contrary  to  the  National  Security  Strategy, 
which  states,  “Collaboration  across  the  government — and  with  our  partners  at  the  state, 
local,  and  tribal  Levels  of  government,  in  industry,  and  abroad — must  guide  our 

actions. ”222 

The  terrorist  attacks  of  September  11,  2001,  Hurricane  Katrina  in  2005,  “Super 
Storm”  Sandy  in  2012,  and  the  recent  widespread  flooding  in  Colorado  only  reinforce  the 
need  for  collaboration  between  federal,  state,  and  local  government  for  pre-event 
planning,  preparation,  response,  and  recovery.  Connecting  the  different  planning 
processes  and  enhancing  information  sharing  will  make  the  U.S.  one  step  closer  to 
closing  planning  silos. 

B.  RECOMMENDATIONS 

The  following  recommendations  are  proposed  to  help  align  federal,  state,  and 
local  critical  infrastructure  planning.  Each  recommendation  proposes  to  identify  the 
implications  of  just  doing  business  as  usual  with  current  critical  infrastructure  protection 
and  resiliency  programs.  The  author  suggests  that  this  strategy  will  increase  participation 
in  critical  infrastructure  protection  and  resiliency  planning  by  providing  clear,  scalable 
guidance  for  local  jurisdictions  without  creating  new  planning  processes. 

222  House,  National  Strategy  for  Information  Sharing  and  Safeguarding,  2012,  White  House, 

http://www.whitehouse.gov/sites/default/files/docs/2012sharingstrategv  l.pdf.  14. 
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1,  Strengthen  the  Relationship  among  Federal,  State,  and  Local  CIKR 
Planning 

The  current  federal  approach  to  CIKR  planning  utilizes  a  “top  down” 
methodology  where  sector-specific  agencies  define  the  parameters  for  their  respective 
sector  and  “voluntarily”  request  asset,  systems,  and  networks  lists  from  states. 
Strengthening  participation  by  both  state  and  local  jurisdictions  will  ensure  that  no  CIKR 
assets,  systems,  and  networks  and  key  interdependencies  overlooked.  The  second  barrier 
that  needs  to  be  addressed  is  information  sharing.  There  are  two  suggested  components  to 
establishing  this  link. 


a.  Component  1 

Redefine  the  CIKR  reporting  process  from  a  “top  down”  to  an  “up  and 
down”  information  flow.  This  can  help  to  develop  necessary  relationships  and  built  on 
trust  and  credible  information.  Locals  would  submit  CIKR  lists  to  the  state,  the  state 
would  compare  this  list  with  state  criteria  and  ultimately  report  Level  1  and  Level  2 
CIKR  to  federal  CIKR  sector-specific  agencies.  Conversely,  the  federal  sectors  would 
share  information  to  states  and  states  to  appropriate  local  jurisdictions  related  to  critical 
assets,  systems,  and  networks  (see  Figure  7).  One  potential  barrier  to  the  latter  is  the  lack 
of  a  consistent  security  classification  for  information  related  to  CIKR  assets,  systems,  or 
networks. 
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Figure  7.  CIKR  Information- Sharing  Relationship 
b.  Component  2 

Implement  the  goals  and  objectives  related  to  information  sharing  at  the 
State  and  local  Levels  as  identified  in  the  National  Strategy  for  Information  Sharing  and 
Safeguarding.  Specifically,  core  principal  3 — “Information  Informs  Decision  Making,” 
which  states,  “National  security  depends  on  easy  access  to  information  at  the  Federal, 
state,  and  local  Level. ”^23  in  the  context  of  critical  infrastructure,  this  can  be 
accomplished  by  conducting  outreach  and  training  to  local  officials  on  the  Protected 
Critical  Infrastructure  Information  (PCII)  Program.  This  will  provide  local  officials  the 
necessary  link  for  sharing  information  between  private  owners  of  CIKR  and  state  CIKR 
program  officials. 

2,  Link  Hazard  Mitigation  with  National  Infrastructure  Protection  and 
Resiliency  Planning 

The  process  for  developing  hazard  mitigation  plans  utilizes  a  similar  methodology 
as  the  National  Infrastructure  Protection  Plan.  Each  plan  focuses  on  a  risk  assessment 
strategy  for  assessing  and  identifying  critical  assets,  networks,  and  systems.  As  noted 
above,  approximately  70  percent  of  U.S.  communities  and  all  50  states  are  submitting 


223  Ibid.,  7. 


68 


hazard  mitigation  plans.  This  recommendation  suggests  the  development  of  a  “hybrid” 
planning  process  incorporating  key  elements  of  hazard  mitigation  planning  and  the  NIPP. 
This  example  of  integration  is  supported  in  the  2009  version  of  FEMA’s  Comprehensive 
Preparedness  Guide,  which  suggests  that  aligning  of  planning  efforts,  such  as  critical 
infrastructure  identification,  prioritization,  and  protection,  national  preparedness  and 
planning,  and  continuity  of  operations,  combined  with  the  national  incident  management 
system,  national  response  framework,  and  the  national  preparedness  guidelines, 
determines  how  federal,  state,  and  local  agencies  work  to  prevent,  prepare,  respond  to 
and  recover  from  natural  and  manmade  disasters. ^24 

The  benefits  of  this  approach  will  be  (1)  greater  participation  by  locals  in 
identifying  critical  assets,  systems,  and  networks  and  (2)  less  reliance  on  additional 
resources  for  completion.  One  key  finding  on  the  SLTTGCC  Northeast  Critical 
Infrastructure  Protection  Programs  report  was  the  lack  of  time  and  resources  for  CIKR 
planning. 225  One  potential  obstacle  is  a  lack  of  funding  at  the  local  Level  to  facilitate 
planning  activities.  This  may  be  overcome  by  increasing  pre-disaster  hazard  mitigation 
grant  funding  opportunities  for  local  jurisdictions  or  expanding  the  use  of  state  homeland 
security  grant  funds  for  CIKR/mitigation  planning  (Figure  8). 


224  Federal  Emergency  Management  Agency,  Developing  and  Maintaining  State,  Territorial,  Tribal, 
and  Local  Government  Emergency  Plans:  Comprehensive  Preparedness  Guide,  2009,  Readiness  and 
Emergency  Management  for  Schools,  http://rems.ed.gov/docs/FEMA  GovemmentEmergencvPlans.pdf.  4- 

2. 

225  State,  Local,  Tribal,  and  Territorial  Govermuent  Coordinating  Council,  Final  Report. 
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Figure  8.  Relationships  of  the  National  Preparedness  Initiatives  to  Emergency  Planning226 


3,  Value  Proposition 

The  proposed  recommendation  to  develop  standard  CIKR  asset  definitions  and 
intersecting  the  planning  components  of  the  NIPP  and  hazard  mitigation  planning  for 
CIKR  asset  identification  should  be  considered.  The  merits  of  this  effort  and  possible 
outcomes  will  be  development  of  a  CIKR  flow  model  that  interconnects  federal,  state  and 
local  definitions.  This  information  would  allow  local  governments  to  develop  CIKR 
protection  strategies,  develop  resiliency  plans,  better  mitigate  natural  and  manmade 
disasters  and  develop  partnerships  with  the  private  sector.  With  tight  municipal  budgets 
and  a  multitude  of  obligations  competing  for  local  official’s  time,  clear  definitions  are 


226  Ibid,  4-3. 
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necessary  to  build  effective  local  CIKR  protection  and  resiliency  programs.  Lastly, 
shifting  the  local  focus  on  pre-disaster  mitigation  and  resiliency  planning  and  an  increase 
in  pre-disaster  grant  funding  may  have  a  positive  impact  by  reducing  the  reliance  on 
federal  disaster  relief  funds.  The  following  figure  highlights  the  use  of  the  “eliminate- 
reduce-raise-create”  grid  from  Blue  Ocean  Strategies  to  suggest  the  necessary  changes  to 
the  federal  approach  to  critical  infrastructure  protection  programs  that  will  allow  for 
better  alignment  with  state  and  local  partners. 


"Eliminate-reduce-raise-create"  Grid 
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Figure  9.  Strategy  Canvas227 


227  w.  Chan  Kim  and  Renee  Mauborgne,  Blue  Ocean  Strate^:  How  to  Create  Uncontested  Market 
Space  and  Make  the  Competition  Irrelevant  (Boston,  MA:  Harvard  Business  School  Press,  2005). 
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4. 


Create  Standard  Asset  Definitions  for  All  CIKR  Sectors 


The  missing  links  in  each  of  the  above  planning  process  are  standard  definitions 
for  critical  asset,  system,  and  network  identification.  Creating  a  standard,  scalable 
consequence  based  criteria  will  provide  clear  guidance  for  developing  CIKR  lists  at  the 
federal,  state,  and  local  Levels.  Use  of  a  consequence  based  criteria  based  on  the  four 
consequences  outline  in  the  NIPP:  “public  health  and  safety  (i.e.,  loss  of  life  and  illness); 
economic  (direct  and  indirect);  psychological;  and  governance  or  mission  impacts.”  ^28 
Consequence  definitions  will  allow  planner  at  all  Levels  to  assess  assets,  systems,  and 
networks  in  a  uniform  manner  and  in  most  cases  are  easier  to  identify.  The  scope  of  the 
definition  should  also  be  expanded  to  include  critical  nodes.  Critical  nodes  are  defined  as 
the  most  critical  components  of  critical  infrastructure. 229  The  use  of  the  other  elements  in 
the  risk  equation,  threat,  and  vulnerability  cannot  be  overlooked.  Although  threats  and 
vulnerabilities  can  vary  widely  between  federal,  state,  and  local  jurisdiction,  guidance  for 
determining  threat  and  vulnerabilities  should  be  developed  in  concert  with  state  and  local 
jurisdictions. 


228  u.S.  Department  of  Homeland  Security,  National  Infrastructure  Protection  Plan,  32. 

229  Lewis,  Critical  Infrastructure  Protection,  vii. 
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